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Revisiting the Publication Culture 
in Computing Research 


as the primary means of publishing | 


our research results. In contrast, the 
prevailing academic standard of ‘pub- 
lish’ is ‘publish in archival journals.’ 
Why are we the only discipline driving 
on the conference side of the ‘publica- 
tion road?’” 

In response to my editorial, Lance 
Fortnow wrote a Viewpoint column 
(Aug. 2009, p. 33), entitled “Time for 
Computer Science to Grow Up,” in 
which he concluded: “Computer sci- 
ence has grown to become a mature 
field where no major university can sur- 
vive without a strong CS department. It 
is time for computer science to grow 
up and publish in a way that represents 
the major discipline it has become.” 

The May 2009 editorial and the Au- 
gust 2009 column attracted a lot of at- 
tention in the blogosphere. The reac- 
tion has been mostly sympathetic to the 
point of view reflected in both pieces. 
For example, Jeanette Wing asked in 
her blog: “How can we break the cycle 
of deadline-driven research?”, and Fil- 
ippo Menczer, in a Letter to the Editor 
published in the November 2009 issue, 
said: “I propose the abolition of confer- 
ence proceedings altogether.” 

Not everyone, however, agreed with 
this point of view. For example, in an- 
other Letter to the Editor from the No- 
vember 2009 issue, Jano van Hemert 
said: “For CS to grow up, CS journals 
must grow up first.” Mr. van Hemert’s 
issue with computing-research jour- 
nalsis that they are known to have “slow 
turnaround, with most taking at least a 


year to make a publish/reject decision 
and some taking much longer before 
publishing.” Such end-to-end times, he 
argued, “are unheard of in other fields 
where journal editors make decisions 
in weeks, sometimes days.” 

While I have not see concrete data 


comparing publishing turnaround 
times for computing-research jour- 
nals to those in other technical fields, 
there is abundance of anecdotal data 
supporting the claim that computing- 
research journals are indeed quite 
slow. (The average time to editorial de- 
cision for Communications is under two 
months; that takes a concerted effort 
by the editorial board to ensure that 
the editorial process does not stall.) 
What is the reason for the unaccept- 
ably slow turnaround time in comput- 
ing-research journals? When consider- 
ing this question, one must factor the 
problem into two separate issues: time 
from submission to editorial decision, 


and time from positive editorial deci- 


sion to publication. 

First let us address the latter issue. 
All periodical journals have editorial 
“pipelines.” No publisher wants to face 
the threat of an empty issue; it’s akin 
to the dreaded dead air on television! 
Successful journals that attract many 
submissions often see their pipelines 
extend for up to two years. With the 
advent of electronic publishing, this 
problem can be eliminated or at least 
minimized. Communications uses its 
Virtual Extension (VE) to ensure its 
pipeline does not get longer than six 
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months. VE articles undergo the same 
rigorous review process as those in the 
print edition and are accepted for pub- 
lication on their merit. These articles 
are available in ACM’s Digital Library. 

Let us now consider the editorial 
process in computing-research jour- 
nals. Why is it soooo slow? Consider 
who is in charge of that process. It is 
not the publishers; it is the editors and 
referees. In other words, it is ws. The 
process is slow because that is the way 
we run it. If we want it changed, it is up 
to us to change it! I suspect that we can- 
not separate our conference-focused 
publication culture from our sluggish 
journal editorial process. Conferences 
have sharp deadlines, journals do not. 
We simply do not take our roles as edi- 
tors and referees as seriously as we do 
as program committee members be- 
cause we do not take journals as seri- 
ously as other fields. If we, as a com- 
munity, decide that we need to shift 
from conference-based publication 
to journal-based publication, we defi- 
nitely must address the slow editorial 
process, but we should not complain 
about “them journals.” We have found 
the enemy, and it is us! 

The 2010 Conference of the Com- 
puting Research Association (July 18- 
20, Snowbird, UT) will have a plenary 
panel on “Peer Review in Computing 
Research.” I look forward to that dis- 
cussion and hope it will help our com- 
munity reach consensus on this issue. 


Moshe Y. Vardi, EDITOR-IN-CHIEF 
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letters to the editor 


Too Much Debate? 


N HIS EDITOR’S Letter “More 


Debate, Please!” (Jan. 2010), | 


Moshe Y. Vardi made a plea for 
controversial topics on these 
pages, citing a desire to “let 
truth emerge from vigorous debate.” 
Though we support the sentiment as 
well, we question Vardi’s judgment in 
using his editorial position to mount 


an attack on a 30-year-old article whose | 


authors were neither forewarned nor 
given the opportunity to respond. 
Vardi’s target was our 1979 critique of 
formal program verification, “Social 
Processes and Proofs of Theorems and 
Programs,” co-authored with the late 
Alan J. Perlis, winner of the first ACM 
A.M. Turing Award and lifelong propo- 
nent for the kind of open discussion 
Vardi himself advocates. 

It is an extraordinary event when the 
Editor-in-Chief of a professional jour- 
nal uses his position to declare ex ca- 
thedra that a published article is “mis- 
guided,” its arguments “off the mark,” 
and prior editors “did err in publish- 
ing [the] article... without publishing a 
counterpoint article...” The irony is not 
lost on us that we were offered no such 
opportunity to respond prior to publi- 
cation of Vardi’s Letter. 


We completely disagree with Vardi’s | 


assessment and will respond to the 
technical substance of his comments 


at a later time. However, we stand by | 


the article’s two major predictions: 

>» That human-written proofs of real 
systems would not work due to the lack 
of the “social processes” that drive con- 
fidence in mathematical proofs. Even 
today, there are no human proofs of 
real systems; and 

> That formally specifying real sys- 
tems would continue to be impossibly 
difficult, a position since vindicated 
by history. Where are the formal speci- 
fications for Windows 7, thousands 
of iPhone apps downloaded daily, and 
hundreds of thousands of other systems 
used every day in research, commerce, 
and government? They do not exist. 

Publication of “Social Processes and 
Proofs of Theorems and Programs” was 
not a singular event. It was refereed. A 
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preliminary version was accepted by a 
highly selective conference program 
committee in 1976—predating by more 
than a year the article by Amir Pnueli 
that Vardi criticized us for not citing— 
and its presentation was attended by 
virtually every living contributor to the 
field. It was then submitted to Commu- 
nications and reviewed by anonymous 
referees. Its publication was followed 


by months of public presentations and | 


workshops, letters to the editor, written 
reinforcements and rebuttals, and— 


years later—a special issue of Commu- | 


nications devoted to the topic. 
The article was widely read and 


commented on by computer scientists, | 


engineers, and mathematicians but, 
rather than spark debate in the formal 


verification community, provoked only | 


stony silence. A quick scan of the for- 
mal verification literature in the years 
1979-1990 reveals virtually no citations 
to the article. In what sense is an article 
“controversial” if one side refuses to 
engage in discussion? Indeed, email 
circulating among the principals in the 
field aimed to tamp down debate and 
ignore our argument that many out- 
side the field still consider substantial 
and prescient. 

The field of formal program verifica- 
tion has changed substantially since 
1979. Its goals have become more mod- 
est and its claims less sweeping. New 


_ methods have emerged. An equally 


compelling reading of history suggests 


| that, during the long silence, the for- 


mal verification research community 
realized it had been misguided in 1979 
and used the arguments—without at- 


tribution—set forth in the article as a | 


roadmap to reorient its agenda. 

The article itself has been reprinted 
dozens of times, as well as in several 
anthologies in the philosophy of math- 
ematics. Donald MacKenzie’s book 
Mechanizing Proof: Computing, Risk, 


| and Trust (MIT Press, Cambridge, MA, 


2001) remains the definitive sociologi- 
cal and historical analysis of both the 
article and its implications for the field. 
If, to Vardi, our arguments seem off the 
mark, then perhaps the right course 


VOL. 53 : NO. 3 


| Author’s Response: 


is to resurrect the social process that 
led to the article’s publication in the 
first place and jump into the fray. Until 
that time, the correct editorial position 
for Communications and its Editor-in- 
Chief is to let both the article (and the 
written record that surrounds it) speak 
for itself. 

It is inappropriate, after 30 years of 
silence, to use the cover of an editor- 
ship to attack unsuspecting passersby, 
especially while touting the moral vir- 
tues of free and vigorous debate. 

Richard A. DeMillo and 

Richard J. Lipton, Atlanta, GA 


It seems both DeMillo and Lipton feel 
slighted by my Editor's Letter (Jan. 2010). 

I had no intention of slighting them or 

the article in question and apologize for 
unintentionally causing them to feel this way. 

Now to the substantive points in their 
comment: 

1, Iam accused of using my editorial po- 
sition to “mount an attack" on an article pub- 
lished in Communications in 1979. DeMillo 
and Lipton imply that it is inappropriate for 
an Editor-in-Chief to comment negatively on 
an article published in Communications. 

The article in question is more than 30 
years old, History, it is said, “judges and re- 
judges." I hardly view my offering of some 
comments, even if critical, on such a his- 
torically important article as “mounting 
an attack," Personally, if someone saw the 
need to disagree with an article of mine 30 
years after its publication, I'd feel compli- 
mented. Most articles are long forgotten 
after 30 years. 

Regarding whether it is appropriate for 
an Editor-in-Chief to comment on articles 
published decades earlier, one should note 
that even the U.S. Supreme Court occasion- 
ally reverses itself. I never heard of “stare 
decisis," the principle that precedent deci- 
sions are to be followed by the courts, be- 
ing applied to editorial matters across such 
a time span. (In contrast, when I assumed 
the position of Editor-in-Chief, I committed 
to respecting all prior editorial decisions in 
regard to pending submissions to Commu- 
nications.) 


2. Iam accused of not offering DeMillo 
and Lipton an opportunity to respond prior 
to publication of my Editor's Letter. As Edi- 
tor-in-Chief I write such bimonthly Editor's 
Letters in which I often express opinions on 
controversial matters. The proper way to 
disagree with them, and many people do, is 
to leave comments online or submit a letter 
to the editor. This is standard operating pro- 
cedure in all publications Iam aware of. 

As Editor-in-Chief, I am committed to a 
scrupulous peer-review process for submit- 
ted articles, but I have not taken a vow of 
silence, nor does it make sense for me to do 
so. Furthermore, I gladly welcome the Edi- 
tor-in-Chief in 2040 to reexamine my edito- 
rial decisions. 

3. It seems that DeMillo and Lioton were 
offended by my use of the word “misguided.” 
But one should read the full context of the 


word: “With hindsight of 30 years, it seems | 


that DeMillo, Lipton, and Perlis’ article has 
proven to be rather misguided. In fact, it is 
interesting to read it now and see how argu- 
ments that seemed so compelling in 1979 
seem so off the mark today.” 

In the paragraph that preceded these 
sentences, I referred to two Turing Awards 
given for works in formal verification. Due to 
lack of space, I did not include references to 
two ACM Kanellakis Awards and two ACM 
Software System Awards for works in for- 
mal verification. 


It is in this context that I expressed an | 


opinion that the 1979 article, which implied 
the futility of formal verification as an activ- 
ity and, by implication, as a research area 
was “misguided,” with “hindsight of 30 years” 
in spite of “its compelling arguments.” 

4, DeMillo and Lipton disagree with my 
opinion that “the editors of Communications 


in 1979 did err in publishing an article that | 


can fairly be described as tendentious with- 


out publishing a counterpoint article in the | 


same issue.” 

The subject (and title) of my editorial was 
“More Debate, Please!” The article in ques- 
tion is one of the most controversial and in- 
fluential ever published in Communications. 
I read it as a graduate student and was 
deeply affected by it. I singled it out because 
it was the perfect example for making the 
point of my editorial, which did not focus on 
analyzing the 1979 article. Rather, its main 
point was that, in my opinion, even with 30- 
year hindsight, the editors in 1979 did abso- 
lutely the right thing in publishing it. 

It is precisely because the 1979 article 
was so influential that I chose it as an exam- 
ple. I honestly feel that its authors should be 


pleased that it is still trenchant, even if some 
people disagree with its major thrust. 
Iam well aware of the process that led 


to its publication in 1979. I stand behind my | 


opinion about the lack of a counterpoint ar- 
ticle. DeMillo and Lipton are entitled to a dif- 
ferent opinion. We may need to agree to dis- 
agree on this one. I do not see why this is an 
issue that deserves such a strongly worded 
response, when I expressed strong support 
for the editorial decision to publish the ar- 
ticle, even with the hindsight of 30 years. 


5. I'd rather not respond here to DeMillo | 


and Lipton on the merits of their article. I 
would, however, welcome a new article from 
them examining the issues they covered in 


1979. I would of course seek to publish a | 


counterpoint article in the same issue. 
Moshe Y. Vardi, Editor-in-Chief 


Give Scratch an Abstraction 
Mechanism 

I welcome the efforts described by 
Mitchel Resnick et al. in “Scratch: Pro- 
gramming for All” (Nov. 2009) to famil- 
iarize more people with programming. 
However, when I downloaded Scratch 
from the Scratch Web site (http:// 
scratch.mit.edu) and looked over the 
Scratch programming constructions, 


I found no convenient abstraction 


mechanism, as in, say, a facility to de- | 


fine and call parameterized functions. 
Such a mechanism could be viewed 
as advanced and not easily digested by 


the intended users of the Scratch pro- | 
gramming language. But some proj- | 


ects on the Scratch Web site feature 
significant code redundancy and could 
be reduced in size and simplified if the 
code could be restructured through a 
few suitable functions. 

Though not all Scratch programmers 


| would be comfortable with an abstrac- 


tion mechanism, it seems a pity that 


| something so fundamental does not 
| even exist, and so cannot be convenient- 


ly demonstrated and disseminated. 
Second in importance and also 
missing from the Scratch program- 
ming language is a data-structuring 
mechanism. 
Thorkil Naur and Karen Brahes, 
Odense, Denmark 


Authors’ Response: 
Abstraction is an important compu- 
tational concept, and a simple form 
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of procedural abstraction is provided 
by Scratch’s “broadcast” mechanism. 
That’s why we added parameterized 
procedures to some experimental ver- 
sions of Scratch, though we have not 
yet come up with a design that satisfies 
our goals of simplicity and understand- 
ability. We’re continuing to experi- 
ment, hoping to include more forms 
of abstraction in future versions. 
The Scratch Team, Cambridge, MA 


Recognition for the 

Unaffiliated, Too 

I was heartened by Wendy Hall’s in- 
terest, as expressed in her President’s 
Letter “ACM Europe” (Oct. 2009), in 
student chapters, award nominations, 
and conferences sponsored by the 
ACM in Europe. 

I regularly seek out opportunities 
for public recognition and awards 
for ACM members not affiliated with 
universities. For example, the tradi- 
tional rule requiring three or more 
endorsements for a researcher to be 
considered for an award is a barrier to 
would-be nominees not affiliated with 
universities or in the pool of preferred 
students of their academic mentors. 
The situation is even more problem- 
atic if an individual’s research is based 
on his/her long-standing experience in 
an area of expertise not currently “pop- 
ular” in universities. 

I therefore suggest the ACM in Eu- 
rope establish a committee to con- 
sider self-nominations and_ invite 
volunteers from among the young re- 
searchers who promote computer sci- 
ence in their spare time, rather than as 
salaried academics. 

Concerning conferences and other 
events, I’d also like to propose ACM 
set up summer schools open to all 
enthusiasts who promote electrical 
engineering and computer science. 
Locating them in popular tourist areas 
would be another way for ACM in Eu- 
rope to increase interest in more tra- 
ditional ACM activities and individual 


| memberships. 


Miroslav Skoric, Novi Sad, Serbia 


Communications welcomes your opinion. To submit a 
Letter to the Editor, please limit your comments to 500 
words or less and send to letters@cacm.acm.org 
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In the Virtual Extension 


Communications’ Virtual Extension brings more quality articles to ACM 
members. These articles are now available in the ACM Digital Library. 


Is Stickiness Profitable for 
Electronic Retailers? 


Lin Lin, Paul Jen-Hwa Hu, 
Olivia R. Liu Sheng, and Johnny Lee 


Current e-commerce practices suffer from 
a lack of accurate bottom-line performance 
metrics. Although conventional wisdom 
suggests that measurements such as 
stickiness or number of visitors might 

offer a clue, no empirical evidence to 

date has shown any conclusive proof for 
such assumptions. The authors analyze 
the relationship between customers’ 
in-session visiting behavior measured by 
“stickiness” and their conversion behavior. 
This study directly answers the question: 
“Does visiting behavior measurement 

really serve as an effective tool for 
predicting customer purchase intentions?” 
Their findings greatly improve our 
understanding of the phenomenon under 
study and would have immediate impact 
on current business practice. 


Practitioner-Based Measurement: 
A Collaborative Approach 


S.T. Parkinson, R.M. Hierons, M. Lycett, 
and M. Norman 


It is widely understood that a program to 
improve software quality can be expected 
to recoup its cost many times over. 

The authors put forward two distinctly 
different models as the way to successfully 
implement such programs. This work 
defines a hybrid, practitioner-based 
model and evaluates the implementation 
of a measurement framework in a major 
insurance organization. Research was 
conducted to understand the critical 
success factors in implementing software 
measurement programs, develop a 
measurement framework to address these 
factors, implement a pilot program, and 
reflect on the outcomes. 


Organizational Adoption 
of Open Source Software: 
Barriers and Remedies 


Del Nagy, Areej M. Yassin, 
and Anol Bhattacherjee 


Considerable excitement in the business 
community surrounds open source 
software as these applications appear to 
offer increased contextual functionality 
or technical performance along with 
reduced costs. Several barriers, however, 
prevent organizations from easily 
adopting these technologies. The authors 
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| examine adoption barriers surrounding 


organizational knowledge, legacy 
integration, open source software forking, 
sunk costs, and technological immaturity, 
as well as provide potential remedies to 
these barriers for organizations looking to 
adopt open source software. 


Aligning Undergraduate IS 
Curricula With Industry Needs 


John H. Benamati, Zafer D. Ozdemir, 
and H. Jeff Smith 


_ Industry executives now seek IS graduates 


with higher-level skills. The vast majority 
of the top business schools (69%) have 
made recent curricular changes consistent 


_ with changing industry demands. Across 


MIS programs in top 50 business schools, 
the collective number of IS graduates was 
down 60% from 2003 to 2007. From 2006 
to 2007, schools with changes combined to 
graduate 19% more MIS students while the 
number of graduates continued to decline 
in schools with no curricular changes. A 
coordinated effort by industry executives 
and academics is required to address 

IS industry demand for both skills and 
number of graduates. 


Agent-Oriented Embedded 
Electronic Measuring Systems 
Hing Kai Chan 


Most of the reported literature regarding 
agent technology have been focusing 

on the theoretical foundations of agent 
applications. This article, in contrast, sets 
out to discuss two real-life applications of 
agent technology on embedded electronic 
measuring systems. The author discusses 
the reason why agent technology was 
employed in each case as well as addresses 
the difficulties that occur during the 
course of design, agent-based software 
development, and implementation. 

Pros and cons with respect to the two 
applications are presented, allowing 
readers to gain insights into why, and how, 
agent-technology could be applied in real- 


_ life applications. 


Business Continuity 
and the Banking Industry 
Fabio Arduini and Vincenzo Morabito 


Recent natural disasters and acts of 


| terrorism have propelled renewed interest in 
_ emergency planning in both the private and 


public sector. Business continuity (BC) is 
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fast becoming a key task within all industrial 
and business specificities. The authors 
focus on the importance of BC strategies 
throughout any organization, particularly 
the banking industry where management 
has often depended on technologies it does 
not fully understand. BC planning should 
be considered a businesswide approach 
and not an IT-focused one, the authors 
warn. Moreover, such planning must be an 
ongoing commitment adopted among the 
various levels of management within an 
organization. 


User Participation in Software 
Development Projects 


Ramanath Subramanyam, Fei Lee 
Weisstein, and M.S. Krishnan 


Eliciting user input has been considered 


| crucial for successful software development. 


Consistent with this notion, both 
researchers and practitioners have viewed 
user participation as an important way to 
improve software quality, increase user 
satisfaction, and promote user acceptance. 
Product development leaders and project 


_ managers might lean toward increasing the 


users’ input into the development process. 
However, empirical evidence also shows that 
user participation might negatively influence 
performance by making the process more 
difficult, lengthy, and less effective. In this 
study, the authors empirically examine both 
the ‘developer-side’ and ‘user-side’ impacts 
of user participation and underscore the 
need to carefully manage customer-team 
interactions. 


A Framework for Health Care 
Information Assurance Policy and 
Compliance 


| Sherrie Drye Cannoy and A.F. Salam 


_ As many as 400 people may have access 
_ to one’s personal medical information 


throughout the typical care process. 
Patients and consumers need to feel their 
sensitive electronic records or information 
are protected against unauthorized access, 
transmission, and disclosure. HIPAA 

and related policies ensure that health 
records are kept confidential. However, if 
employees fail to understand compliance 
policies, it becomes difficult to keep 
patient information confidential. Based on 
a multi-site case study, this article presents 
a framework of Information Assurance 
Policy and Compliance factors addressing 
the behavioral dimension in the context of 
patient health care information. 
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Too Much Programming 


Too Soon? 


Mark Guzdial and Judy Robertson discuss the role 
of programming in introductory computer science. 


From Mark Guzdial’s 
% “How We 

® Teach Introductory 
“ Computer Science 
is Wrong” 
hittp://cacm.acm.org/ 
blogs/blog-cacm/45725 
I’ve been interested in John Sweller and 
Cognitive Load Theory since reading Ray 
Lister’s 2008 Australasian Computing 
Education Conference keynote paper, 
“After the Gold Rush: Toward Sustain- 
able Scholarship in Computing.” I as- 
signed several papers on the topic to my 


educational technology class. Those pa- | 


pers have been influencing my thinking 
about how we teach computing. 

In general, we teach computing by 
asking students to engage in the activ- 
ity of professionals in the field: by pro- 


gramming. We lecture to them and have | 


them study texts, of course, but most 
of the learning is expected to occur 
through the practice of programming. 
We teach programming by having stu- 
dents program. 

The original 1985 Sweller and Coo- 


per paper on worked examples had five | 


studies with similar setups. There are 
two groups of students, each of which 
is shown two worked-out algebra prob- 
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lems. Our experimental group then 
gets eight more algebra problems, 
completely worked out. Our control 
group solves those eight problems. As 
you might imagine, the control group 
takes five times as long to complete 


| the eight problems than the experi- 


ment group takes to simply read them. 
Both groups then get new problems 
to solve. The experimental group solves 
the problems in half the time and with 


_ fewer errors than the control group. Not | 


problem-solving leads to better prob- 
lem-solving skills than those doing 


problem-solving. That’s when educa- | 
tional psychologists began to ques- | 


tion the idea that we should best teach 
problem-solving by having students 
solve problems. 

The paper by Kirschner, Sweller, 
and Clark (KSC) is the most outspo- 
ken and most interesting of the pa- 
pers in this thread of research. Their 
title states their basic premise: “Why 
Minimal Guidance During Instruc- 
tion Does Not Work: An Analysis of the 
Failure of Constructivist, Discovery, 
Problem-Based, Experiential, and In- 
quiry-Based Teaching.” What exactly 
is minimal instruction? And are they 
really describing ws? I think this quote 
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| describes how we work in computing 
_ education pretty well: 

"There seem to be two main as- 
sumptions underlying instructional 
| programs using minimal guidance. 
First[,] they challenge students to solve 
“authentic” problems or acquire com- 
plex knowledge in information-rich 
settings based on the assumption that 
having learners construct their own so- 
lutions leads to the most effective learn- 
ing experience. Second, they appear to 
assume that knowledge can best be ac- 
quired through experience based on the 
procedures of the discipline (i.e., seeing 
the pedagogic content of the learning ex- 
perience as identical to the methods and 
| processes or epistemology of the disci- 
pline being studied; Kirschner, 1992).” 

That seems to reflect our practice, 
paraphrased as “people should learn 
to program by constructing a program 
from the basic information on the lan- 
guage, and they should do it in the same 
way that experts do it.” The paper then 
presents all the evidence showing that 
this “minimally-guided instruction” 
does not work: 

"After a half-century of advocacy as- 
sociated with instruction using mini- 
mal guidance, it appears that there is 
no body of research supporting the 
technique. In so far as there is any evi- 
dence from controlled studies, it al- 
most uniformly supports direct, strong 
instructional guidance rather than 
constructivist-based minimal guidance 
during the instruction of novice to in- 
termediate learners." 

There have been rebuttals to this 
article. What's striking about these re- 


buttals is that they basically say, “But 
not problem-based and inquiry-based 
learning! Those are actually guided, 
scaffolded forms of instruction.” 
What’s striking is that no one challeng- 
es KSC on the basic premise, that putting 
introductory students in the position of 
discovering information for themselves 
is a bad idea! In general, the educa- 
tional psychology community (from 
the papers I’ve read) says that expect- 
ing students to program as a way of 
learning programming is an ineffec- 
tive way to teach. 

What should we do instead? That’s 
a big, open question. Pete Pirolli and 
MimiRecker have explored the methods 
of worked examples and cognitive load 
theory in programming, and found that 
they work pretty well. Lots of options are 
being explored in this literature, from 
using tools like intelligent tutors to fo- 
cusing on program “completion” prob- 
lems (van Merriénboer and Krammer in 
1987 got great results using completion 
rather than program generation). 

This literature is not saying never 
program. Rather, it’s a bad way to start. 
Students need the opportunity to gain 
knowledge first, before programming, 
just as with reading. Later, there is 
an expertise reversal effect, where the 
worked example effect disappears, 
then reverses. Intermediate students 
do learn better with real programming, 
real problem-solving. There is a place 
for minimally guided student activity, 
including programming. It’s just not at 
the beginning. 

Overall, I find this literature unin- 
tuitive. It seems obvious to me that the 
way to learn to program is by program- 
ming. It seems obvious to me that real 
programming can be motivating. But 
KSC respond to this, too, noting that 
“it is easy to share the puzzlement of 
Handelsman et al. (2004), who, when 
discussing science education, asked”: 

"Why do outstanding scientists who 


demand rigorous proof for scientific as- — 


sertions in their research continue to 
use and, indeed defend on the bias of 
intuition alone, teaching methods that 
are not the most effective?" 

This literature doesn’t offer a lot of 
obvious answers for how to do com- 
puting education better. It does, how- 
ever, provide strong evidence that what 
we're doing is wrong, and offers point- 
ers to how other disciplines have done 


it better. It’s a challenge to us to ques- | 


tion our practice. 


From Judy Robertson's 
“Introductory 
Computer Science 
Lessons—Take Heart!” 
ttp:// 


m.org/ 


we log / 
I was somewhat alarmed to read Mark 
Guzdial’s excellent and thought-pro- 
voking post, which argues that the way 
we teach introductory computer sci- 
ence is wrong. His argument is that 
some of the educational psychology lit- 
erature claims that minimally guided 
instruction techniques, such as discov- 
ery learning, constructivism, and prob- 
lem-based learning, are less effective 
than strongly guided instruction tech- 
niques. As an extension to this: teach- 
ing programming through the practice 
of programming itself is not effective 


for novices. As a lecturer of a first-year _ 


programming module myself, I splut- 
tered into my cup of tea and hurried 
off to read the Kirschner, Sweller, and 
Clark article Mark recommended. 


Kirschner, Sweller, and Clark have | 


some strong words to say against mini- 
mally guided instruction approaches. 
For example, “The goal of instruction 
is rarely simply to search for or discover 
information. The goal is to give learners 
explicit guidance about how to cogni- 
tively manipulate information in ways 
that are consistent with a learning goal, 
and store the result in long-term mem- 
ory.” But hang on: in higher education 
we generally regard it as important that 
students know how to search and dis- 
cover information for themselves. They 


require skills in self-directed learning. | 


In the context of programming, for ex- 
ample, we may wish them to know how 


to look up documentation. We would | 


also generally expect them to be able 
to search for information sources in 
the first stage of carrying out a research 
project. I suspect this is a question of 
the stage of cognitive and metacogni- 
tive development the learner is at in 
first year, and whether it is reasonable 


to expect more of them than manipu- | 


lating information and storing it in 
long-term memory. 

The authors also write: “[It] may be 
a fundamental error to assume that 
the pedagogic content of the learning 
experience is identical to the methods 
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and processes (i.e., the epistemology) 
of the discipline being studied and a 
mistake to assume that instruction 
should exclusively focus on methods 
and processes.” 

I don’t think that introductory com- 
puter science teaching does focus only 
on methods and processes. In fact, it is 
a bit of a straw man to consider what 
goes on in first-year computer science 
classes as pure minimally guided in- 
struction anyway. Obviously there is a 
huge range of teaching approaches to 
novice programming across the world, 
but let’s take Barnes and KGlling’s Ob- 
jects First With Java textbook and the 
BlueJ environment. It’s very popular 
and used as an introductory text in 
many computer science departments. 
One of the features of this well-de- 
| signed textbook is that it aims to teach 
high-level concepts as a priority over 
lower-level language constructs. The 
BlueJ environment enables students 
to experiment with object orientation 
by calling methods on objects in a 
graphical environment. The textbook 
encourages students to read code be- 
fore they write it, and “wire in” small 
segments of their own code into a pre- 
written program. The lecture slides 
that come with the book give specific 
instruction and worked examples; 
students typically receive this sort of 
instruction before working on small 
examples in the lab. In fact, working 
on small examples after a lecture on 
programming concepts is, in my ex- 
perience, a fairly common pattern in 
first-year instruction. 

Kirschner, Sweller, and Clark rec- 
ommend: a) providing worked exam- 
ples for students to read and, b) pro- 
viding process worksheets that explain 
to students the processes they should 
go through when solving problems. 
These are sensible suggestions, but I 
| wouldn’t say they are unusual for com- 
puter science teaching. I would suggest 
that we tend to use a mixed bag of in- 
structional techniques rather than bas- 
ing our pedagogy on pure theory. And 
therefore, we probably get our first-year 
teaching right at least part of the time. 
Which is a bit of a comfort. 


Mark Guzdial is a professor at the Georgia Institute 
of Technology. Judy Robertson is a senior lecturer at 
Heriot-Watt University. 
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| SIGGRAPH’S DEBEVEC 


WINS ACADEMY AWARD 
SIGGRAPH 
Executive 
Committee 
Director-at-Large 
Paul Debevec 
recently received 
a Scientific and 
Engineering Award from the 
Academy of Motion Picture Arts 
and Sciences. Debevec, with Tim 
Hawkins, John Monos, and Mark 
Sagar, were recognized for the 
design and engineering of the 
Light Stage capture devices and 
the image-based facial rendering 
system developed for character 


| relighting in motion pictures. 


In an email interview, 
Debevec, who leads the graphics 
laboratory at the University of 
Southern California’s Institute 
for Creative Technologies, 
discussed the Light Stage 
capture devices’ computational 
challenges. “Our classic Light 
Stage process built realistic 
computer graphics models of 
actors by taking photographs 
of the actor’s face under 
hundreds or thousands of 
different lighting directions, 
often from multiple viewpoints. 
This allowed an image-based 
approach to rendering the 
actor under complex lighting 
environments by computing 
linear combinations of the 
images taken under the 


| different conditions. The 


imagery was a huge amount 
of data, especially when it was 
scanned at film resolution. 
One observation we made was 
that the linear combinations 
could be computed even from 
image data projected onto a 
compressed basis. We could 
thus relight the actor’s face 
by directly recombining the 
compressed image data, and 
then decompressing the result. 
Using this technique, our Face 
Demo software (http://www. 
debevec.org/FaceDemo/) could 
relight human faces in real time 
even back in the year 2000.” 
Currently, Debevec and 
colleagues are making the 
process of creating animated 
digital characters from their 
Light Stage data much more 
automatic, trying to improve on 
the results of their recent Digital 
Emily project. —Jack Rosenberger 
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News 
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CS and Biology’s 
Growing Pains 


Biologists can benefit from learning and using the tools 
of computer science, but several real-world obstacles remain. 


HE COMPATIBILITY OF COm- 
puter science and biology— 


two disparate yet increas- | 


ingly symbiotic branches of 

knowledge—is becoming a 
hot topic among academic scientists. 
Recent publications in popular and 
academic journals have called for man- 
dating stronger computer and math- 
ematics courses for undergraduate 


biology majors. Those treatises have — 


been met by equally ardent responses 
among some biologists claiming that 
mandating additional background in 
computer science and math will not 
necessarily advance a budding biolo- 
gist’s academic and career success. 
“To grossly oversimplify it, comput- 


erscienceisallaboutthe binary,andin | 
biology, things don’t lend themselves | 


to binary distinction,” says John Tim- 
mer, the science editor of Arstechnica. 
com, who hasa Ph.D. in molecular and 
cell biology. Timmer recently wrote 
an opinion piece, “Should Biologists 
Study Computer Science?”, that took 
to task advocates of increased empha- 
sis on undergraduate computer sci- 
ence and math. Timmer argued that 
knowing how to use a given tool, and 
having enough domain knowledge to 
be able to flag outlying results, should 


A New Jersey high school student works ina 
Rutgers University lab as part of a research 
project on decoding a DNA sequence. 


be sufficient for most biologists. 
“Obviously, computer scientists 
can do things that are far more subtle 
than binary logic,” Timmer says, “but 
the fact that the most basic concepts 
in biology, like genes and species, ex- 
ist along a full spectrum and can often 
be defined using different definitions 
doesn’t lend itself to definitive com- 
puterized analysis very cleanly.” 
Computer scientist Nir Piterman, 
a research fellow at Imperial College, 


says Timmer may be right, but that | 
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“the central role of the computer in our 
lives” will mandate that biologists learn 
some foundational basics of computa- 
tion such as algorithmic thinking and 
some sort of formal expression. 

“The advantages are not only in be- 
ing able to do the things that are re- 
quired in order to do modeling or more 
computational biology,” says Piter- 
man, “but this way of thinking can help 
many fields of biology to communicate 
better, and to harness computing bet- 
ter, by being able to share information 
more formally. Maybe it’s less natural 
to do it in biology, but the power of 
computing makes it less than optimal 
to avoid this.” 


A High-School Solution? 

The goal to strengthen biologists’ com- 
puter science and math backgrounds 
faces a major obstacle within college 
curricular structures. For instance, try- 
ing to design a quantitative thinking 
and computer science offering that 
would satisfy all fields of biology is ex- 
tremely difficult. Also, students’ sched- 
ules are already filled with existing 
requirements. Adam Siepel, assistant 
professor of biological statistics and 
computational biology at Cornell Uni- 
versity, says the university is grappling 
with this issue. 

“There’s such a broad spectrum of 
activities going on under the rubric of 
biology, from what is essentially physi- 
ology to organismal biology, to ecol- 
ogy,” Siepel says. “These disciplines 
have almost nothing to do with one an- 


| other. I was part of a task force last year 


that was reviewing the undergraduate 
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curriculum for biology and it was really 
a struggle.” 

Siepel says the math requirements 
were examined closely, but the faculty 
concluded that sending biology stu- 
dents out of the department for math, 
computer science, and statistics survey 
courses was unpopular and counter- 
productive. 

“There was general agreement the 
students should have something that 
really connects better with biology, 
maybe less calculus, more statistics 
and computer science, maybe some- 
thing about computational sequence 
analysis or something along those 
lines,” Siepel says. “But it’s a struggle. 
The students already have a full set of 
requirements and any time you add a 
new one, you have to bump something 
else. We didn’t get very far on that is- 
sue. You get in a situation where you al- 
most have to require a five-year instead 
of a four-year degree if you're really 
going to educate them in the physical 
sciences and math and statistics and 
computer science as well as all the bi- 
ology requirements.” 


Siepel reiterates, their schedules are al- 
ready too full. 

“To be frank,” says Siepel, “part of 
it is the failure of high schools to be 
providing basic education in math- 
ematics and sciences before the stu- 
dents get to universities.” 

That shortcoming may be ad- 
dressed soon. In 2009, the College 
Board released the draft of its revised 
Advanced Placement (AP) biology 
curriculum for high school seniors 
in response to the National Research 
Council’s 2002 report Learning and 
Understanding: Improving Advanced 
Study of Mathematics and Science in 
U.S. High Schools. The new curriculum 
includes significant changes in four 


_ areas, including quantitative and com- 


putational thinking. According to the 
College Board draft, “Students will be 
encouraged to develop their ability to 


_ apply mathematics to wide sectors of 


biology so that they can better test hy- 
potheses, model biological phenome- 
na, interrogate complex data sets, and 
represent and interpret visualizations 


| of relationships.” 


Siepel says he has had numerous | 


students who want to take an upper- 
level course and express an interest in 
some aspect of computational biology, 
only to discover they lack a sufficient 
background in math or computer sci- 


ence to really pursue that interest. And, | 


Raina Robeva, chair of the math- 
ematical sciences department at Sweet 
Briar College, says the new AP cur- 
riculum should have a profound effect 
on incoming students’ capabilities. 
“Whether we like it or not, the College 
Board drives a lot of this, so if they are 


As part of a National Science Foundation-funded project, New Jersey high school students 
conduct bioinformatics research on lab computers at Rutgers University. 
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saying they are changing all of this, the 
AP exams will change to reflect this and 
all those students will have more of a 
quantitative background when they get 
to college, and will take those skills to 
higher-level biology courses.” 


Real-World Dilemmas 

Even if fundamental concepts are 
added to advanced secondary school 
curricula and undergraduate courses, 
the workaday problem of reconciling 


_ the principles of computer science and 


math with the realities of biologic re- 
search remains. Sarah Killcoyne and 
John Boyle, senior software engineer 
and senior research scientist, respec- 
tively, at the Institute for Systems Bi- 
ology, co-authored “Managing Chaos: 
Lessons Learned Developing Software 
in the Life Sciences,” in the November- 
December 2009 issue of Computing in 
Science and Engineering. 

In their paper, Killcoyne and Boyle 
pointed out that biology, due to its 
descriptive nature, lacks the grand 
underlying mathematical theory, and 
hence formalized body of expression, 
that is present in physics. This makes 
software development far more diffi- 


' cult in life sciences, and the two com- 


munities remain struggling to commu- 
nicate their needs. Boyle says teaching 
biologists and computer scientists an 
appreciation for each other’s disci- 
pline might be more useful than trying 
to convince biologists they need a cer- 
tain amount of computing and math 
proficiency to do their jobs. 

“You hate to say this, but a lot of 
people don’t care, and rightly so,” Boyle 
says. “They’re busy people. Should they 
know the ins and outs of how to use a 
bioinformatics tool? Ina perfect world, 


_ yes, they should. But is it something 


that’s holding back scientific prog- 
ress? Can they go to someone else and 
get that person to help them? Yes. Can 


_ they get by without it? Sometimes. 


“We tend to be a little bit pragmatic 
here. ‘Is it something that’s holding 
us back doing research?’ is always go- 
ing to be the fundamental question,” 
says Boyle. 

Perhaps the debate over exactly how 
computationally savvy the majority of 
biologists should be will devolve sim- 
ply due to the fact that certain areas of 
biology will naturally lend themselves 
to more computationally intensive ap- 


MARTIN NE 
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Part of the problem, 
says Adam Siepel, 
“is the failure 

of high schools 

to be providing 
basic education in 
mathematics and 
sciences before 

the students get 

to universities.” 


proaches than others. Boyle says the 
contention that a number of computa- 
tionally skilled biologists specializing 
in these areas will advance the cross- 
pollination of the disciplines in a kind 
of natural selection process may have 
credence. A researcher at Microsoft 
Research Cambridge, Jasmin Fisher 
is a pioneer of this sort of “executable 
biology,” which she says will not only 
winnow out false steps in the process 
of evaluating an idea, but also illumi- 
nate hypotheses for which noncompu- 
tational calculations would be prohibi- 
tively difficult or missed altogether. 

“Serious biological research with 
living material takes a long time,” 
Fisher says. “The thing we’re trying to 
say here is this kind of modeling will 
help to focus and direct the next ex- 
periment and save time and resourc- 
es. This is the key point.” 

One example of such an approach is 
work Fisher and colleagues, including 
Piterman (who is married to Fisher), 
computer scientist Tom Henzinger 
(who is president of the Institute of 
Science and Technology Austria), and 


| of, and, two, without the prediction, 
| the experiment would not have been 


University of Zurich biology professor | 


Alex Hajnal, performed while studying 
earthworm vulva development. 

“While modeling the crosstalk be- 
tween two signaling pathways oper- 
ating in the cells that eventually be- 
come the worm’s egg-laying system, 
we predicted a very specific order of 
events related to this particular de- 
velopmental process,” Fisher says. 
“This then led to the design of an ex- 


periment that was performed in the 
lab, and validated experimentally the 
prediction provided by the model- 
ing work. The point here is that, one, 
without the modeling work this pre- 
diction would not have been thought 


designed and performed in the lab. 
I think this is a beautiful example 
of how this kind of knowledge from 
computer science can be channeled 
to direct lab experiments and shed 
new light on the biological system 
that we study.” 

Whatever approach the two disci- 
plines’ practitioners ultimately decide 
upon to create a more seamless in- 
teraction between them, Robeva says 
the heightened level of discussion, 
disagreements and all, is beneficial 
for both disciplines in crafting a more 
compatible future. 

“It used to be the case that biology 
needed math, and mathematicians 
would answer a biologist’s problem 
out of a sense of community service,” 
she says. “But now biology problems 
are generating way more math ques- 
tions than mathematicians can an- 
swer. It seems at this juncture that 
momentum is going for both the bi- 
ologists and the mathematicians, so it 
seems the stars are aligning.” a 
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News 


Artificial Intelligence 


Israel’s 


Robotic 


Warfare 


Israel is leading the world in the 
development of robotic fighting 
machines, according to a recent 
article by Charles Levinson in 
The Wall Street Journal. The 
article, “Israeli Robots Remake 
Battlefield,” attributed Israel’s 
role as one of the world’s top 
military robotic innovators 

to its six decades of almost 


| uninterrupted warfare, a low 


acceptance for enduring human 


_ causalities, and an agile and 


robust high-tech industry. 

“We're trying to get to 
unmanned vehicles everywhere 
on the battlefield for each 
platoon in the field,” Lt. Col. 
Oren Berebbi, head of the Israel 
Defense Forces’ technology 
branch told The Wall Street 
Journal. “We can do more and 
more missions without putting 
a solider at risk.” 

One-third of Israel’s military 
machines will be unmanned in 
the next 10-15 years, predicts 
Giora Katz, vice president 
of Rafael Advanced Defense 
Systems Ltd., a leading Israeli 
weapons manufacturer. 

Israel’s robotic machines 
include the long-range 
Heron drone, which can fly 
continuously at an altitude of 
30,000 feet for 30 hours; the 
Guardium unmanned ground 
vehicle, an armored golf cart 
equipped with optical sensors 
and surveillance gear, which 
is used to patrol the Gaza and 
Lebanese borders; remote- 
controlled bulldozers that open 
supply routes and transport 
food and ammunition through 
hostile territory to the front 
lines; and the Protector SV, a 
nine-meter-long, well-armed 
speedboat that constitutes a 
growing part of the Israeli navy. 

Coming soon is a six- 
wheeled Rex robot, which can 
carry 550 pounds of equipment 
alongside advancing troops. 

More than 40 nations 
possess military robotics 
programs, with many of them 
focusing on aerial drones. A 
military robotics milestone was 
reached last year when the U.S. 
Air Force, for the first time ever, 
trained more drone operators 
for its unmanned aircraft than 
it did pilots for its manned 
fighters and bombers. 
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Kirk L. Kroeker 


Engineering the 
Web's Third Decade 


As Web technologies move beyond two-way interactive capabilities to facilitate more dynamic 
and pervasive experiences, the Web is quickly advancing toward its third major upgrade. 


ESEARCHERS WORKING ON 
the next generation of Web 
technology tend to avoid 
hyperbole, using language 
more cautious than the 


erstwhile bravado frequently exhibited | 
by Internet evangelists prior to the big | 


dot-com bust. Today, the Web is quickly 
advancing toward its third decade and 
to what many are calling its third ma- 
jor upgrade. It is moving beyond mere 
two-way interactive Web 2.0 technolo- 
gies to a more dynamic, pervasive, and 


perhaps even more human experience. | 


Indeed, as Web 3.0 emerges, those 
working at the forefront of Internet 
technology research tend to speak with 
guarded language, suggesting the next 
major advancements in Web technolo- 
gies might be more evolutionary than 
revolutionary—at least for now. 

Use of the term “Web 3.0” to de- 
scribe the Web’s next major develop- 


ments has become loaded, capable of | 


connoting very different implications 
for technology and society. At least one 
popular idea hovering around use of 
the term Web 3.0 is that Web 3.0 tech- 
nologies will help filter the “wisdom of 
the crowd” so that it doesn’t become 
the “madness of the mob.” Critics of 
this position suggest this way of think- 
ing will contribute to a reduction of the 
kind of democratization on the Web 
that made it so popular as a medium 
for information sharing, social interac- 
tion, and other forms of expression. 
Richard Stanton, chief executive of 
Bintro.com, a NY-based company that 
bases its business model on emerging 
Web 3.0 technologies, sidesteps the 
Web 3.0 terminology controversy and 


points out that Web 3.0’s social impli- | 
cations can be defined simply by focus- | 


ing on the personal. “Data becomes 
much more valuable and has a much 
bigger return when we tailor users’ ex- 
periences to their individual needs,” 


16 COMMUNICATIONS OF THE ACM MARCH 2010 


Get recommendation for this wine 


A Rensselaer Polytechnic Institute application for location-aware phones accesses Facebook 
and other online sources to make wine recommendations for a particular group of friends. 


Stanton says. “The more fulfillment 
one gains from personal experiences 


| on the Web, the better off the masses 


will be, whether it is democratic, meri- 
tocratic, or anything in between.” 


From a technology standpoint, re- | 


searchers suggest a key aspect of Web | 


3.0 technology is moving beyond Web 
2.0’s popular Asynchronous JavaScript 
and XML (AJAX) model to one more 
infused with semantic technologies 
that facilitate interlinked data and 
customizable, portable applications 


| that are device- or system-neutral. Jim 


Hendler, for example, suggests view- 
ing Web 3.0 simply as Semantic Web 
technologies powering large-scale 
Web apps. “The problem is that, like 
Web 2.0 before it, the term can be tak- 
en many ways,” says Hendler, a pro- 
fessor in the computer and cognitive 
science departments at Rensselaer 
Polytechnic Institute (RPI). 

“Many people use Web 3.0 to mean 
Web applications that use seman- 
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tic technologies, while others tend 
to use it to mean anything that fixes 
the many known problems with Web 
2.0,” he says. “I tend to like [Radar 
Networks CEO] Nova Spivack’s idea 
that the version numbers correspond 
more to Web decades than to specific 
technologies, and that 3.0 will be the 
term used for all the new technologies 
emerging over the coming third de- 
cade of the Web.” 

Debates about the merits of Web 3.0 
as a label for emerging Internet tech- 
nologies aside, Hendler’s own work 
focuses largely on Semantic Web tech- 


| nology and in particular on scalable 


reasoning and data-on-demand sys- 
tems. “We are looking at technologies 
that could, on the fly, find and merge 
appropriate pieces of very large data 
sets into custom data caches and make 
those available in Web applications,” 
Hendler says. The key, he notes, is find- 
ing a trade-off that is more efficient 
than the traditional knowledge rela- 


tionships that researchers working in 
AI might use, but more powerful than 
the relational models that have been 
the hallmark of database research. 
Hendler is working with the data 


that the U.S. government is releasing in | 


the data.gov project with the purpose 
of making it available in Semantic Web 
formats. In practical terms, Hendler 
and his team are focused on linking 
the data to other data sets and connect- 
ing it into information sources in what 
researchers are now calling the “linked 
open data cloud,” a set of data sets that 
have partial mappings to other data 
sets and domains, so that developers 
can mash up the data and write Web 
apps on top of it. 

In another project, Hendler is us- 
ing supercomputers to scale Seman- 
tic Web algorithms to extremely large 
data sets. “We’ve been playing with 
graphs that have over a billion triples 
[the assertions underlying the Seman- 
tic Web],” he says. “There’s really only 
a small number of groups working 
on this approach, and we think we're 
the only U.S. group in the space, so it 
is great fun.” As it turns out, Hendler 
and his team at RPI have been able 
to engineer new kinds of paralleliza- 
tion for Semantic Web processes. He 
says these developments might soon 
enable his team to migrate the algo- 
rithms to commodity hardware to 
power large-scale Web apps used by 
millions of people. 


Billions of Triples 
Despite the promising developments, 
challenges in this area remain. While 


Hendler and his team are experiment- | 


ing with billions of triples, the Open 
Calais project, one of many new en- 
deavors in this area, is creating 800 
million triples each week. “In the way 
the Web has of making scale critical, 
the numbers are growing really big, re- 
ally fast,” says Hendler. Such scale will 
become even more of an issue as more 
applications begin linking to other 
apps through the Semantic Web layer. 
Another researcher working on how 
Semantic Web technologies can facili- 
tate information handling and more 
precise representations is Ora Lassila, 
a senior data technologist at Nokia 
Services and a member of the Nokia 
CEO Technology Council. Lassila is 


eee 
Web 3.0’s semantic 
technologies 
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interlocked data 

and customizable, 
portable apps 

that are device- 

or system-neutral. 


tic Web technologies, which he calls 
“provenance”—that is, where a piece 
of information came from, who gener- 
ated it, and when. One of his goals is 
to facilitate the transformation of Web 
2.0 mashups so that information bits 
from multiple sources can still retain 
their provenance. 

“Thus, you would be able to dissect 
information and better understand its 
reliability and trustworthiness,” Lassi- 
la says. In this line of thinking, Lassila 
rejects the notion that Web 3.0 might 
lead to a reduction in democratization. 
“It seems to me,” he says, “that mak- 
ing it easier to disseminate trustworthy 
information would have the opposite, 
positive effect.” 

Lassila says he is surprised at how 
quickly Semantic Web ideas have been 
embraced by Internet developers, par- 


_ ticularly in the past few years during 


which many Semantic Web ideas and 
formats have been adopted by even 
large Internet companies. For exam- 
ple, Google now supports a technology 
called Rich Snippets and Yahoo has 
created Search Monkey, both of which 
rely on Semantic Web strategies. Pow- 
erset’s semantic technology—acquired 
by Microsoft in 2008—is reportedly a 
significant component of Bing, Micro- 
soft’s search engine. 

As another example, Bintro.com is 
using semantics to enhance matching 
technologies and simplify the way us- 
ers’ needs are fulfilled online. Bintro’s 
technology combines public semantic 
knowledge bases with the company’s 
own knowledge base, which includes 
subject-specific terminology and jar- 


focused on a specific aspect of Seman- | gon. Bintro uses semantic data that in 
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Employment 


A Bright 


Job 


Outlook 


If you’re having second thoughts 
about a career in IT or CS in 

the United States, you should 

set those thoughts aside, 
according to Ed Lazowska, the 
Bill & Melinda Gates Chair in 
Computer Science & Engineering 
at the University of Washington. 
In “Where the jobs are....” (http:// 
www.cccblog.org/2010/01/04/ 
where-the-jobs-are/), a post for 


| The Computing Community 


Consortium blog, Lazowska 
recently analyzed the U.S. 
Bureau of Labor Statistics’ new 
10-year forecast of job growth 
in all fields of employment and 
found the outlook for computer 
and mathematical jobs to be 
truly rosy. 

In the category of 
professional and related 
occupations, which includes 
computer science, the projected 
growth between 2008 and 2018 
is 16.8%. In contrast, the average 
growth across all occupations is 
projected to be 10.1%. 

Of the eight occupational 
clusters in the professional 
and related category, computer 
and mathematical occupations 
“are projected to grow by the 
largest percentage between 
now and 2018—by 22.2%,” 
Lazowska notes. “In other words, 
‘Computer and mathematical’ 
occupations are the fastest 
growing occupational cluster 


_ within the fastest growing major 


occupational group. 

“Looking at all science and 
engineering occupations— 
computer and mathematical, 
architecture and engineering, 
and life, physical, and social 
science—computer science 
occupations are projected to be 
responsible for nearly 60% of all job 
growth between now and 2018,” 


| Lazowska writes. “The next 


largest contributor—all fields 
of engineering combined—is 
projected to contribute 13.4% of 
total growth. All of the life sciences 
combined: 5.6%. All of the physical 
sciences combined: 3.1%.” 

“In other words,” Lazowska 
concludes, “among all 
occupations in all fields of 
science and engineering, 
computer science occupations 
are projected to account for 
nearly 60% of all job growth 
between now and 2018.” 
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The future Web 

will facilitate 

a more pervasive 
and intuitive user 
experience, providing 
content or services 
specific to the 

user’s implied 

needs, suggests 
Richard Stanton. 


most cases was not compiled for the 
purpose of matchmaking, making the 
effective organization of it a challenge 
that Stanton says is unique to the com- 
pany. One aspect of this challenge, in 
particular, is replacing existing multi- 
select fields by using semantic data re- 
lationships from narrative fields. 
According to Stanton, Bintro’s goal 
is not only to demonstrate the use of 
Web 3.0 technologies today, but also 
to build an engine for powering other 
Web 3.0 apps in the future. “Web 3.0 


is all about personalization,” he says. | 


“Instead of simply looking at the user 
as an eyeball, Web 3.0 aims to look 
at the user as an engaged personality 
with multiple facets from which the 
context of a user’s statement can draw 
a better result.” 

Lassila points to this type of highly 
customized user experience as an on- 


Networking 


going challenge at Nokia. “This is good 
for the users, but I am not entirely con- 
vinced how sustainable this is, as the 
implementation part becomes more 
and more difficult,” according to Las- 
sila. Still, he says Semantic Web tech- 
nologies hold great promise, particu- 
larly in situations in which users might 
require useful information from mul- 
tiple data sources. “There are plenty of 
existing opportunities for clever data 


| management,” he says. 


As for future research, Lassila says 
he is committed to working toward a 
“substantial convergence” of technolo- 
gies, with computing machinery such 


as phones, PCs, and appliances con- | 
necting with communication systems | 


to facilitate seamless interaction with 
family, friends, and colleagues, re- 
gardless of the different technologies 
involved. “It should not matter where 
the data comes from, where it resides, 
or what applications or systems create 
it,” Lassila says. “What matters is how I 
want to use it.” 

Echoing this sentiment, Stanton 
suggests the future Web will facilitate 
a more pervasive and intuitive user ex- 


| perience, providing content or services 


specific to the user’s implied needs. 
“Twas a big fan of The Jetsons as a kid 
and I always loved how effortless their 
interaction with technology was,” he 
says. “The Semantic Web puts us one 
step closer to such a reality.” 

For his part, RPI’s Hendler predicts 
that in five years when Web 3.0 strate- 
gies have begun to mature, Web appli- 
cations might still look a lot like they 
do today but will have much more data 
available to them, will have search-like 
capabilities far more sophisticated 


than current search engines, and will 
be able to exploit query context much 
more effectively. Hendler also predicts 
that much more of our access to the 
Web will be from mobile devices, with 
location and social context more read- 
ily available to applications that are 
given elevated privileges. 

Still, like many researchers working 
in this area, Hendler is already looking 


| beyond emerging Semantic Web strat- 


egies and related technologies that are 
now collectively called Web 3.0. “This 
stuff is new and exciting,” he says. 
“But I look at it this way: I started play- 
ing with the Semantic Web back in the 
1990s. As a researcher, I’m not content 
to sit around and exploit Web 3.0; my 
job is to help create Web 4.0.” 
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Bell Labs to Reduce Networks’ Energy Usage 


Could today’s communications 
networks be 1,000 times more 
energy efficient? Bell Labs 
thinks so, and has launched 
a global consortium, Green 
Touch, which aims to make 
networks 1,000 times more 
energy efficient than they are 
today. 

“A thousand-fold reduction 
is roughly equivalent to being 
able to power the world’s 
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communications networks, 
including the Internet, for three 
years using the same amount of 
energy that it currently takes to 
run them for a single day,” Bell 
Labs said in a statement. 

The thousand-fold efficiency 
target is based on Bell Labs 
research that indicates 
current information and 
communications technology 
(ICT) networks have the 
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| potential to be 10,000 times 


more energy efficient than they 
presently are. “A concerted effort 
to bring energy efficiency closer 
to these theoretical limits would 
not only shrink the estimated 2% 
of the world’s carbon emissions 
ICT contributes directly, but 
also lower the 98% contributed 
by all the other sectors touched 
directly and indirectly by ICT,” 
according to Bell Labs. 


The Green Touch consortium 
will explore the fundamental 
properties of communication 
networks and technologies— 
optical, wireless, electronics, 
processing, routing, and 


| architecture—and study their 


physical limits by applying 


| established formulas such as 


Shannon’s law. 
For more information, visit 
greentouch.org. 
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Tracking Garbage 


Researchers are focusing on the so-called “removal chain” 
in an attempt to save landfill space, improve recycling rates, 
and trim the flow of toxic materials into the environment. 


N A WORLD where the move- 

ment of goods—everything 

from pallets of breakfast cereal 

to computer components— 

is tracked with precision, it’s 
nothing short of remarkable that trash 
and recyclables are generally discarded 
without a thought. Worldwide, humans 
generate more than 2 billion tons of 
waste annually. In the U.S., each indi- 
vidual produces about 1.5 tons of solid 
waste per year. Unfortunately, no one 
knows exactly how all the waste flows, 
where it goes, and how it can be man- 
aged more effectively. 

This situation may soon change, | 
however. Researchers are now focus- | 
ing on the so-called “removal chain” in 
an attempt to address a long-standing 
problem: how to save landfill space, im- | 
prove recycling rates, and trim the flow 
of toxic materials into the environment. 
Using barcodes, passive and active radio 
frequency identification (RFID) tags, | 
cellular transmitters, and other tech- 
nologies, they’re putting a high-tech 
spin on what has long been a low tech 
and mostly unmanageable problem. 

It’s certainly more than a throwaway 
idea. Trash-tracking technology pro- 
vides a number of benefits, including 
the ability to follow individual items, 
components, and subcomponents 
through the disposal process to ensure 
that they are recycled or disposed of 
correctly; gauge how effectively curb- 
side recycling programs work and use 
incentives to boost participation rates; 
and weigh trucks as they go to landfills 
to better understand loads and how to 
establish more efficient routes and ser- 
vice patterns. 

“The study of what we could call the 
‘removal chain’ is becoming as impor- 
tant as that of the supply chain,” states 


Carlo Ratti, director of the SENSEable | 
City Laboratory at the Massachusetts 
Institute of Technology (MIT). Ratti 
and a select group of researchers are | 


In July 2009, MIT's TrashTrack team deployed 3,000 smart tags on waste objects in New 


news 


Brown Coffee Cup. 


Currently located at? 
Interstate 5 
Seattle, WA 98108 


7 Days, 8 Hours and 
42 Minutes En Route 


Wr 


York, Seattle, and London, facilitating the monitoring of the trash’s path in real time. 


among those tagging trash and explor- 
ing how society can deal with it more 
effectively. Notes Valerie Thomas, asso- 
ciate professor in the School of Public 


Policy at Georgia Institute of Technol- | 
ogy, “Waste is a topic that society must | 


address more effectively. We must find 
ways to reduce waste and make recy- 
cling easier and more streamlined.” 


Trash Gets Smart 

The idea of giving trash brains is ulti- 
mately about dollars, yen, euros, and 
good sense. At present, it’s often next 
to impossible to assure that trash is 
routed to the best possible destination 
for disposal or recycling. “The problem 


with the current system is that there is | 


little understanding or control of the 
waste stream. In many cases, trash 


and recycling materials don’t wind up | 
| where they are supposed to go to,” ob- 


serves Lewis Girod, a research scientist 


at MIT who designed the tags for the | 


SENSEable City Laboratory project. 
That may soon change. The SENSE- 
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able City project, in place in New York 
and Seattle, aims to better understand 
the removal chain and boost recycling 
rates. A system called TrashTrack uses 
hundreds of small, smart, and location- 
aware tags as a first step toward the de- 
ployment of “smart-dust” networks of 
tiny locatable and addressable micro- 
electromechanical systems. Research- 
ers attach the tags to different types of 
trash in order to follow objects through 
a city’s waste management system. 
| This reveals the final journey of items 
in a series of real-time visualizations. 
MIT displays the information at the 
Seattle Public Library and the Architec- 
tural League of New York. 

So far, researchers have tagged more 
than 3,000 pieces of Seattle and New 
York City garbage with electronic-track- 
ing devices that use a GSM chipset, SIM 
card, and cellular radio contained with- 
ina 2-inch-long device. The units—cho- 
sen because of the low cost and ubiqui- 
_ tyof GSM—rely on an algorithm to shut 
| off when they haven’t moved for a few 
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minutes, and a timer and motion sen- 
sor to wake them up when movement is 
detected. When tags come into contact 
with a new cell tower they send a status 
report via SMS. Researchers match the 
time stamps with the reports to create 
a movement map. The method of using 
cellular signals is accurate to about 100 
meters, which is sufficient for tracking 
trash movement. 

Over the short-term, the units have 
proved effective. However, because 
they draw from a 900-milliamp lithium 
ion battery, they do not provide a long- 
term solution to trash tracking. At most, 
they can last about six months. Another 
challenge, Girod says, is ensuring that 
the antennas attached to the individual 
pieces of trash have exposure to the sky 
so that they can transmit continuous 
signals during the transport process. 
In some instances, other objects, ve- 
hicles, or facilities have obscured the 
units. The transmitters are enclosed 
in a small fiberglass shell to help them 
survive movement and possible com- 
pacting. Girod says the use of 3G GSM 
will provide better signal accuracy and 
dependability. 

MIT isn’t the only group to experi- 
ment with trash tagging. Georgia In- 
stitute of Technology's Thomas has 
examined tagging technology as well. 


She has focused on using conven- | 


tional barcodes and RFID tags to track 
items as they move through the waste 
stream. The primary value, she says, is 
for managing items like batteries, toys, 
electronics, office equipment, shop 
equipment, household tools, garden 
equipment, and even clothes. “Many 
of these items can be recycled but they 
often aren’t,” says Thomas. “Some of 
them—including household chemi- 
cals, light bulbs, and fixtures—may 
contain toxic substances that could be 
more easily tracked and removed.” 

She advocates placing barcodes and 
more advanced optical barcode labels 
on items, and using passive and active 
RFID tags for situations where automat- 
ed scanning and tracking makes sense. 
“Right now, one of the biggest prob- 
lems is the way items are packaged,” 
Thomas notes. “There is often a bar- 
code on the package when something 
is sold, but the actual appliance or de- 
vice—and its subcomponents—are not 
identified.” Claudia Binder, a professor 
at the University of Ztirich’s Institute of 
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Science, Innovation, and Sustainability 
Research, has studied the use of RFID 
in trash tagging and believes it is feasi- 
ble and could play an important role in 
changing behavior and improving envi- 
ronmental awareness. RFID, she says, 
speeds data collection and eliminates 


line-of-sight issues. It would almost | 


certainly “lead to an improvement in 
the current recycling rate,” she says. 
Nevertheless, tagging garbage pres- 
ents afew obstacles. For one, there’s the 
cost of adding labels, tags, and readers 
to the removal chain—something that 
could boost per-item costs from a few 
cents to a few dollars. Tags themselves 


would have to be recycled, and privacy | 


issues could enter the picture, Binder 
says. Without adequate protection, 
someone could glean details about a 
person’s life and consumption habits. 
Finally, Binder worries that too much 
automation could have the unintend- 
ed consequence of decreasing environ- 
mental awareness and shifting respon- 
sibility away from recycling. 


Waste Not, Want Not 

Despite the challenges, the idea of us- 
ing technology to track and manage 
trash is gaining momentum. In Aspro- 
pyrgos, Greece, a suburb of Athens, city 
officials implemented a three-month 
pilot study in 2007. Altogether, 15 of 
the 2,500 city-supplied garbage bins 
used by residents and businesses were 
equipped with an RFID tag mounted 
near the base of the bin. Each of the 
city’s 15 garbage-collection trucks 
was equipped with an RFID reader 
and when workers emptied any of the 
tagged bins into the truck, the anten- 
na picked up a unique ID encoded to 
the bin’s tag. The system allowed the 


town’s sanitation department to opti- | 
mize routes and manage vehicles more | 
efficiently. It also helped the city gauge | 


the productivity of crews in the field. 
In Philadelphia, an RFID-based 
recycling system called RecycleBank 
(developed by Texas Instruments) was 
piloted in 2006. A high-tech bin mea- 
sures the volume of recyclables con- 
tained within it and when a truck picks 
up the items, it transmits the data to 
an onboard computer. Households re- 
ceive cash awards based on the amount 
of plastic, glass, and other materials 


they contribute. Recycling participa- | 


tion rates among the 2,500 residents 
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who initially subscribed to the pro- 


| gram rose from 25% to 90%. Moreover, 


the average household increased the 
volume of recyclables from less than 
5% to more than 50%. 

An effective removal-chain system 
would eventually create a more effi- 
cient disposal system and slash landfill 
requirements, Thomas says. It would 
also create new economies and oppor- 
tunities. Ultimately, Thomas would like 
to see a system where items that cannot 
be recycled—everything from banana 
peels to soiled napkins—can be com- 
posted and combusted, with the latter 
method producing power. MIT’s Gi- 
rod believes a better understanding of 
waste would lead to important changes 
in public behavior and public policy. 

In fact, governments are begin- 
ning to take notice, Girod says. In the 
United Kingdom, the Department for 
Environment, Food and Rural Affairs is 
studying trash tagging in order to bet- 
ter understand waste flow and how to 


_ trim refuse collection costs, improve 


| recycling rates, and lessen the environ- 
| mental impact of garbage, including 


hazardous waste. In the U.S., the Envi- 
ronmental Protection Agency has indi- 
cated interest in boosting compliance, 
and tagging would likely create a viable 
framework for managing consumption 
from purchase to landfill. 

“There’s no question that tracking 
trash has economic and social ben- 
efits,” concludes Thomas. “It will likely 
play an important role in the future. 
We must become more efficient in the 
way we dispose of waste.” ic] 
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Katayanagi Prizes 
and Other CS Awards 


ONALD E. KNUTH, Jon Klein- 
berg, Andrew Herbert, and 
other members of the com- 
puter science community 
were recently honored for 
their innovative research and service. 


Katayanagi Prizes in 
Computer Science 


Donald E. Knuth, who has made fun- | 


damental contributions in theoreti- 
cal computer science and is the au- 
thor of the seminal multi-volume The 
Art of Computer Programming, and 


Jon Kleinberg, a computer scientist | 
whose work explores the interface | 


between networks and information, 
were awarded the Katayanagi Prizes 
in Computer Science. 

Knuth, an emeritus professor at 
Stanford University and recipient of 
the 1974 ACM A.M. Turing Award, re- 
ceived the 2009 Katayanagi Prize for 


Research Excellence, which recog- | 
nizes an established researcher with | 
a record of outstanding, sustained | 


achievement. Kleinberg, the Tisch 
University Professor of Computer Sci- 
ence at Cornell University, received 
the 2009 Katayanagi Emerging Lead- 
ership Prize, which honors a research- 
er who demonstrates the promise of 
becoming a leader in the field. 

The prizes are presented annually 
by Carnegie Mellon University in co- 
operation with the Tokyo University 
of Technology (TUT). The prizes are 
endowed with a gift from Japanese 
entrepreneur and education advocate 
Koh Katayanagi, who founded TUT 
and several other technical institu- 
tions in Japan. 


Order of the British Empire 

Microsoft Research Cambridge Man- 
aging Director Andrew Herbert was 
appointed Officer of the Order of 
the British Empire (OBE) by Queen 
Elizabeth II for services to computer 
science. The appointment was an- 
nounced by Buckingham Palace as 


Donald E. Knuth, winner of the Katayanagi 
Prize for Research Excellence. 


part of the 2010 New Year Honours list. 
A Microsoft Distinguished Engineer, 
Herbert has worked in the computer 
science field for 35 years, conducting 
research into computer networking, 
operating systems, and distributed 
computing. He is the fifth Microsoft 
employee to be honored by the OBE, 


in addition to Bill Gates, Tony Hoare, | 


Tony Hey, and Roger Needham. 


AAAS Fellows 

The American Association for the 
Advancement of Science recognized 
14 individuals as Fellows, in the Sec- 
tion on Information, Computing, 
and Communication, for their con- 
tributions to science and technol- 
ogy. They are: Marc Auslander, IBM 
Watson Research Center; Richard 
G. Baraniuk, Rice University; Alok 
Choudhary, Northwestern University; 
Narsingh Deo, University of Central 
Florida; James A. Gosling, Sun Micro- 
systems; Anthony J.G. Hey, Microsoft 
Corporation; Eric Horvitz, Microsoft 
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Corporation; Henry C. Kelly, U.S. 
Department of Energy; Thomas F. 
Knight, Massachusetts Institute of 
Technology; David B. Lomet, Micro- 
soft Corporation; Keshav K. Pingali, 
University of Texas, Austin; Sang- 
uthevar Rajasekaran, University of 
Connecticut; Jeffrey S. Vitter, Texas 


| A&M University; and Ouri Wolfson, 


University of Illinois, Chicago. 


ISSA Distinguished Fellows 

Information Systems Security Asso- 
ciation honored 22 individuals as Dis- 
tinguished Fellows, the association’s 
highest tribute. They are: Mary Ann 
Davidson, Dorothy Denning, Donald 


| Evans, Susan Hansche, Steve Hunt, 
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Sandra Lambert, Richard Mosher, 
William Hugh Murray, Lynn McNulty, 
Alan Paller, George Proeller, Marcus 
Ranum, Ron Ross, Howard A. Schmidt, 
Bruce Schneier, Eugene Schultz, San- 
ford Sherizen, Eugene Spafford, Har- 
old Tipton, William Tompkins, Roy 
Wilkinson, and Ira Winkler. 


IEEE Awards 

The Institute of Electrical and Elec- 
tronics Engineers (IEEE) Computer 
Society honored Michael T. Heath, the 
University of Illinois at Urbana-Cham- 
paign’s Fulton Watson Copp Chair in 
computer science, with the 2009 Tay- 
lor L. Booth Education Award for his 
“contributions to computational sci- 


| ence and engineering education, cur- 


riculum, and scholarship.” 

IEEE Computer Society also hon- 
ored Judy Robertson, senior lecturer 
in computer science at Heriot-Watt 
University (and a blogger for Com- 
munications’ Web site), with the 2009 
Computer Science and Engineering 
Undergrad Teaching Award for her 
“outstanding contributions to the un- 
dergraduate education through teach- 
ing and the innovative use of pioneer- 
ing technologies in teaching.” 
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Economic and 
Business Dimensions 
Gaming Will Save Us All 


How gaming, as the first media market to successfully transition 
toward media-as-a-service, is an exemplar for a similar evolutionary 
transition of content and entertainment. 


OFTEN PROCLAIM at digital me- | spent fortunes to make products that | blogs, P2P downloading, and podcasts. 
dia and gaming conferences | 


that gaming (2.0) will save 
us all. By this, I don’t mean 
that we will spend our leisure 
hours reaching level 68 Dark Elf Dru- 
ids in World of Warcraft. I mean that 
well-proven, hybrid revenue models 
from the cutting edge of Gaming 2.0 


will revive traditional media indus- | 


tries, many of which have been dis- 
rupted by digital formats and irrevers- 
ibly fragmented by the Internet. 
Gaming 1.0 is the traditional pack- 
aged-goods, retail-based model we are 
all familiar with. Historically it will be 
remembered as the domain of nerdy, 
young males playing old-school down- 
loadables and ad-based online prod- 
ucts. The hits-based business model 
of Gaming 1.0 was as unpredictable 
as the hits themselves. Gaming start- 
ups had difficulty scaling up to large, 
standalone businesses. The success 
of Electronic Arts and a few others 
was overshadowed by countless busi- 
ness failures. Gaming 1.0 companies 
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might or might not make money. As 
with the movie business, Gaming 1.0 
companies increasingly bet the farm 
on “tentpole” titles, often sequels of 
prior successes. They did not invest in 
newer and riskier products. 

In contrast, Gaming 2.0 makes 
games frictionless, ubiquitous, so- 
cial, and service-oriented. Gaming 
2.0 provides critical clues and guid- 
ance toward new, sustainable busi- 


ness models that could benefit social 


media, content, and e-commence 
businesses in the future. Gaming 2.0 
evens the playing field for game start- 


ups. It is not just the application of | 


new computing and Internet tech- | 


nologies to old gaming paradigms; it 
combines new technologies, new de- 


signs, and new business paradigms. It | 


is fueled by major changes in consumer 
behavior: 

> Rise of the Digital Natives: Con- 
sumers under the age of 30 have grown 
up with the Internet, social networks, 
instant messaging, email, search, 
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These users spend more time on Web 
2.0 sites like YouTube and social net- 
works like Facebook and Twitter. They 
eschew broadcast TV for online video 
services like Hulu. Digital natives fa- 
vor online, digital formats instead of 
visiting retail outlets to discover and 
purchase their media. They are adept 
at seeking out new offerings, and they 
share their findings virally. 

> Irreversible Fragmentation and 
Short Attention Spans: The Long Tail 
theory suggests the Web allows every 
user to find offerings that suit his or 
her particular tastes. Such wide choice 
makes it increasingly difficult fora pub- 
lisher or media company to reach mass 
audiences effectively. This is borne out 
by dying formats such as broadcast TV, 
radio, and newspapers. Thousands of 
niche offerings replace a few massively 
popular hits that everyone likes. On top 
of this there is a very short attention 
span from users faced with unprec- 
edented options and the ability to surf 
instantly on to the next site or link with 
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a single click if faced with something 
that isn’t instantly appealing. 

> New, Open, and Lightweight Plat- 
forms: The most exciting new formats 
for interactive experiences include the 
iPhone (for which there are now more 
than 100,000 applications, of which 
more than one-third are games) and 
other smartphone platforms, social 
networks such as Facebook and Mys- 
pace with open application support, 
and increasingly powerful Internet 
browsers capable of rich-media experi- 
ences, streamed fully in-browser, with- 
out the need for heavy downloads or 
additional software. These formats are 
widely available and have experienced 
wide adoption, attaining huge active 
audience bases worldwide. 

In light of these disruptive changes, 
we’ve entered what many consider to 
be a Renaissance Era of Indie Gaming, 
in which small upstart teams have just 
as much achance to launch a profitable 
title directly into the market as the large 
traditional publishers. In many cases 
the startups are innovating much faster 


than the incumbents, who continue to 
fight the Gaming 1.0 battle under pres- 
sure from a slowing retail-based model. 


More specifically, the following in- | 


novative drivers define Gaming 2.0: 
Ubiquitous Gaming. The most excit- 
ing aspect of Gaming 2.0 is the rise of 
games on new, popular platforms with 
mass audiences such as iPhone and 
Facebook. Through these gamemakers 


can reach whole new audiences will- 


ing to try out games, but who would 


never self-identify as the stereotypical | 


“gamers” who only make up 10% of | 


the population. At least two-thirds of 
iPhone and iPod Touch owners have 
downloaded and played a game. Most 


did not expressly purchase the device | 


to play games, as opposed to those who 
purchase of a dedicated game console, 
but a mass market of non-core gamers 
is now investing significant amounts of 
time and money in lightweight games, 
expressly built for these non-dedicated 
and ubiquitous platforms. 
Approaching Frictionless Distribution. 
Gaming 2.0 is about bringing games to 
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the broader market of non-core gamer 
consumers, so the games themselves 
need to be as easy as possible to try out 
and play. Typical practices from the 
Gaming 1.0 world, such as asking pro- 
spective players to first download heavy 
client software, register to play, or pur- 
chase the game upfront, represent fric- 
tion points for user adoption and scare 
off many consumers. The gaming mar- 
ket is giving way to browser-based, thin- 
apps and free-to-play frictionless mod- 
els, aimed at getting the consumer to 
try out a game quickly and get hooked 
on the experience, eventually resulting 
in deeper engagement, viral sharing, 
and monetization. Frictionless gaming 
also emphasizes direct-to-consumer 
publishing, without the need for re- 


_ tail distribution or a packaged game 
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product. Many experiments in Gam- 
ing 2.0 involve open platforms such as 
Facebook, MySpace, iPhone, and Xbox 
Live Community Games, which enable 
startup developers to release games 
into the market unfettered by tradi- 
tional gatekeepers or distributors. 
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Social as a Means Toward Distribu- 


tion. “Social networking” is not a mar- | 


ket: it’s a kind of functionality that 
will be woven into all offerings as a 
mechanism to enhance distribution, 
marketing/promotion, and_ self-ex- 
pression/engagement. Similarly, “mo- 


bile” is not a market, but a logical ex- | 


tension of the cloud media model, an 
increasing overlay of the social graph 
across all content and media. This has 
already begun to reduce the anonym- 
ity of the Web and increase the ac- 
countability and quality of conversa- 
tion in and around content/product/ 
media. Potentially, this could lead to 


multi-region, cross-pollination in in- | 


teractions. Social gaming is interest- 
ing because both sides (social media 
mavericks, traditional games folks) 
are learning from each other. Social 
can grow audience bases virally, while 
gaming can retain and engage these 
audiences long after the initial viral 
buzz wears off. Today’s social games, 
such as Zynga’s MafiaWars, have 
proved that you don’t even need a real 
game engine or fancy graphics to get 


large audiences playing and spending | 


money. These simple x-Wars social 
games are just the beginning. Soon 
we will see improvement in formats, 
quality of production, and interactive 
storytelling—the start of “premium 
social gaming.” 

Designing Compelling Content for 
“Snack Gaming” and Voluntary Rep- 
etition. Gamemakers are learning 
to optimize the user experience for 
“snack gaming” (many frequent ses- 
sions of only a few minutes of play), 
as opposed to deep engagement 
with multi-hour gameplay sessions. 
Most consumers are time-starved 
and do not want to invest significant 
amounts of time per play like hard- 
core gamers. Compelling stories 
and content that induces “compul- 
sion loops” drive users to keep com- 
ing back for more participation. The 
stories may be episodic and involve 
user-modifiable game content. Us- 
ers come back because they like the 
experience and get hooked on one or 
more compulsion loops. These users 
do not need constant “app and social 
newsfeed spam” to get them to re- 


engage. Such alerts are good for ini- | 


tial awareness building, but the core 
compulsion loop quickly takes over. 
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| quickly becoming an obsolete. Online | 
| pioneers such as a Blizzard (World of 


rere 
Many aspects 

of Gaming 2.0 can 

be transported 

to music, broadcast 
TV, print journalism/ 
magazines, and 
packaged media 

in general. 


The art of the “meta-game” will be 
the most important long-run design 
skill for Games-as-a-Service (GaaS): 
when each piece of content or activity 
ultimately becomes a “mini-game,” it 


is important to design the meta-game | 


wrapper around everything to encour- 
age users to level-up, collect, share, 
buy/sell/trade, explore, and try again. 

Games as a Service. Games pack- 
aged as “fire and forget” releases are 


Warcraft) and Nexon (Maple Story) 
have proved that GaaS and Cloud 
Gaming are viable new paradigms. 
Content creators must rethink how 
they design their offerings, moving 
away from discrete offerings sold and 
handed off to players, and toward es- 
tablishing ongoing relationships with 
their users. 

Games are increasingly “living” on 
Internet servers as ongoing experienc- 
es in which players touch each other 
frequently across a multitude of devic- 
es (Web browsers, consoles, iPhones, 
and even within social networks). This 
shifts expenses, planning, and spend- 
ing priorities. Only half or less of bud- 
gets will be spent on “launch,” with 


| increasing amounts used to “operate” 
| the ongoing service. Activities such 


as community management, expan- 
sion packs/dynamic content updates, 
microtransactions processing, virtual 
goods refreshes, and related activi- 


| ties become more important. This is 


an early case study for the shift of me- 
dia overall toward Media-as-a-Service 
(MaaS). Imagine subscribing to all- 


| you-can-eat on-demand music servic- 
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es instead of buying individual songs 
or albums, or think of the emerging 
online Netflix model. Getting content 
into the hands of the audience is just 
the first step; the real trick is keeping 
the consumer engaged over the long- 
term, continually monetizing the re- 
lationship and cross-promoting other 
offerings. 

Reinventing the Business Model for 
Media. MaaS as inspired by the gam- 
ing industry is the new Holy Grail for 
media. The reinvigoration of the mu- 
sic, TV, movie, and print media indus- 
tries will come from adaptations of 
this model. The model blends revenue 
streams, including free-to-play, mi- 
crotransactions (around virtual goods 
and virtual currencies), and premium 
membership and subscriptions. A 
healthy model shows what I call the 
“85/15/2” pattern: the majority (85%) 
of participants plays for free, and do 
not engage in microtransactions or 
subscriptions. They can be lightly 
monetized via ads, but they contribute 
indirect value by enriching the game 
world and experience for other players 
through their participation. A smaller 
fraction of participants (10%-15%) 
pays small amounts for microtrans- 


_ actions. A very small fraction of par- 


ticipants (1%-3%) pays for premium 
services or subscriptions. Subscribers 
might engage in microtransactions for 
rare items, collectibles, vanity goods, 
and so forth. A parallel scenario in the 
music industry would have ad-based 
“free to play” for a limited on-demand 
streaming music experience; per-song 
and per-item microtransaction pur- 
chases; and all-you-can-eat unlimited 
subscription services with additional 
perks and benefits. 

Many aspects of Gaming 2.0 can 
be transported to music, broadcast 
TV, print journalism/magazines, and 
packaged media in general. Gaming 
is the first media market to shift suc- 
cessfully toward MaaS (Media-as-a- 
Service), and is a terrific poster child 
for how content and entertainment 
might transition toward XaaS (Every- 
thing-as-Service). 


Tim Chang (tchang@nyp.com) is Principal at Norwest 
Venture Partners, which has supported over 400 
companies in its 45-year history. This column is derived 
from his keynote speech from the Casual Connect 2009 
conference 
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Only Technological 
Processes Are Patentable 


The U.S. Supreme Court will narrow the universe of process innovations that can be 
patented to those that are “technological,” but what will that mean for software? 


N NOVEMBER 9, 2009, the U.S. 
Supreme Court heard oral 


argument in the Bilski v. | 


Kappos case. The question 

is whether a method for 

hedging risks of price fluctuations of 

commodities is eligible for patent pro- 
tection. 

My most recent Communications 


Legally Speaking column, “Are Busi- | 


ness Methods Patentable?” (November 
2009), suggested the Court’s ruling in 
Bilski would have implications for the 
patentability of computer programs. 
After attending the oral argument in 
the case, Iam now less sure of that. 
One thing I am sure of, though, is 
that Bilski is not going to get his patent. 
The Court made mincemeat out of Bils- 
ki’s main arguments in favor of the pat- 
entability of his method. The Justices 
peppered him with questions and made 
comments indicating that they thought 
his arguments were preposterous. 
Hearing the oral argument also con- 
vinced me that the Court is unlikely to 
proclaim that business methods, as 
such, are ineligible for patenting. The 
Court instead seems likely to rule that 
Bilski’s method is unpatentable be- 
cause it is a nontechnological process. 
To implement this standard, the 
Court is likely to adopt a “machine or 
transformation” test so that the Patent 
and and Trademark Office (PTO) and 
the courts can distinguish between 
technological and nontechnological 
processes. Under this test, Bilski’s 
method is unpatentable because it is 


Pamela Samuelson holding the Bilski brief in front of the U.S. Supreme Court building. 


neither tied to a specific machine, nor 
does it transform anything from one 
state to another. 

The main reason Bilski is unlikely to 


_ address software patent issues is that 


dozens of software companies and or- 
ganizations filed amicus curiae (friend 
of the court) briefs explaining that a 


MARCH 2010 


broad patent subject matter ruling in 
Bilski could sweep away patents in this 
field. (Some amici wanted software 
patents to be swept away, while others 
sought to preserve software patents.) 
| The Court will likely leave questions 
| about the patentability of software in- 
novations to future cases. 
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Alphabets, Horse Whispering, 

and Speed Dating 

Most Justices came to the oral argu- 
ment with their favorite examples of 
innovations they thought were un- 
patentable and tested them out on 
Bilski’s lawyer, Michael Jakes. Justices 
Kennedy and Roberts, for instance, 
quizzed Jakes about whether a new 
alphabet could be patented. Dutifully 
sticking to his script, Jakes said yes in- 
sofar as it was a practical application 
of knowledge that could be expressed 
in a series of steps. 

Under Bilski’s theory of patent sub- 
ject matter, Justice Scalia suggested 
that innovations in horse-training 
techniques, such as horse whispering, 
would be patentable. Yet, no such pat- 
ents have issued for them. Scalia asked 
Jakes to explain why. When Jakes an- 
swered that the U.S. economy in the 
19th century was based on industrial 
processes, Scalia derisively comment- 
ed that the economy back then was 
based more on horses. 

Scalia also asked Jakes if an im- 
proved method for winning friends and 
influencing people was patent-eligible, 
conveying by the tone of his voice that 
he thought the very idea was absurd. 


The patentability of speed-dating | 


methods was raised by Justice Soto- 
mayor, who worried that without some 
sort of technology limitation patents 
would extend too far and impose too 
many costs on society. 

That Bilski’s theory would also al- 
low patents on estate planning, tax 
avoidance, and jury selection methods 
was of concern to Justice Ginsburg who 
plainly regarded these methods as be- 
yond the patent pale. 

Justice Breyer asked Jakes if a pro- 
fessor could patent an improved meth- 


The Court will likely 
leave questions about 
the patentability of 
software innovations 
to future cases. 
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od of teaching antitrust law. After Jakes 
affirmed this, Breyer asked him to sup- 
pose the Court was not willing to go 


that far; did Jakes have anything to of- | 
_ to warrant a patent. Malcolm Stewart, 


fer as an alternative formulation of pat- 
ent subject matter? Jakes did not. 


_ What Test to Use? 


That Bilski will lose his appeal is cer- 
tain. But the Justices were plainly 
struggling during the oral argument 
about what test should be used to dis- 
tinguish between patentable and un- 
patentable processes. 

The test will certainly not be the 
patent subject matter rule that the 
Court of Appeals for the Federal Cir- 
cuit (CAFC) used between 1998 and 
2008. It focused on whether a claimed 
method produced a “useful, concrete, 
and tangible result.” 

In the decade after the CAFC an- 
nounced this test, the PTO was flood- 
ed with applications for patents on a 


_ wide range of methods in many fields 


of human endeavor, including sports 
moves, business methods, arbitration 
procedures, charitable giving tech- 
niques, and dating methods. 


After the Supreme Court in 2006 ex- | 


pressed dissatisfaction with the CAFC’s 
views of patent subject matter (see my 
July 2008 column “Revisiting Patent- 
able Subject Matter”), the CAFC de- 
cided to revisit patent subject matter. 
It heard Bilski’s appeal en banc (with 
all 12 judges on the court, not just the 
usual three-judge panel) and articulat- 
ed the machine-or-transformation test 
mentioned previously, under which 
Bilski’s method was unpatentable. 

As formulated by the CAFC, the 
machine-or-transformation test has 
been criticized for being too formalis- 
tic, failing to articulate a normative or 
policy-based grounding, and too eas- 
ily subverted by a simple mention of 
technology (for example, a computer) 
in the claims. 

Yet, the PTO has defended this test 


_ as practicable for conducting exami- 


nations. In its brief to the Court, the 
Solicitor General explained why the 


_ PTO believed this test was consistent 


with the Court’s prior rulings and why 
it would be workable in making sub- 
ject matter determinations. 

During the oral argument, three 
other bases for resolving the patent 
subject matter question posed by Bil- 
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ski’s application came up. 

Justice Alito wondered whether the 
Court should reject Bilski’s claims on 
the ground that they were too abstract 


the government lawyer who defended 
the PTO’s rejection of Bilski’s claims, 
said such a ruling would undermine 
the “limited clarity” that the machine- 
or-transformation test had provided 
and would leave unresolved the ques- 
tion as to whether nontechnological 
processes, such as antitrust teaching 
methods, were or were not patentable. 

Justice Sotomayor asked whether the 
Court should resolve the case by ruling 
that business methods were unpatent- 
able. Stewart argued against this be- 
cause the PTO thought that some tech- 
nological implementations of business 
methods might qualify for patents. 

Justice Ginsburg was attracted to 
the idea of saying that technological 
processes are patentable, but non- 
technological processes aren’t. Stew- 
art characterized the machine-or- 
transformation” test as a “shorthand 
version” of that standard. 

As the oral argument proceeded, the 
Justices became more comfortable with 
the machine-or-transformation _ test. 
Yet, they were plainly concerned about 
the risk that adoption of this test might 
foreclose patentability as to a new tech- 
nology that did not satisfy this test. 

To address this concern, Stewart 
recommended that the Court “ac- 
knowledge that there has never been a 
case up to this point that didn’t involve 
a machine or transformation,” but it 
“could leave open the possibility that 
some new and as yet unforeseen tech- 
nology could require the creation of an 
exception.” This seemed to satisfy the 
Court’s concerns. 


Difficult Questions Ahead 
Involving Computers 

Bilski is an easy case under the ma- 
chine-or-transformation test because 
Bilski didn’t mention any technology 
in his application: no telephone, no 
fax machine, no computer. 

Several Justices were skeptical of 
the view that merely mentioning a con- 
ventional technology in a patent claim 
could suffice to convert an unpatent- 
able process into a patentable one. A 
method of calculating historical aver- 
ages of prices, for instance, should not 


eres 
The patentability 

of software-related 
inventions has been 
hotly debated since 
the mid-1960s. 


become patentable just because the 
claim mentions the use of a calculator 
in carrying out the method. 

Justice Roberts stated his view that 
“tangential and insignificant” uses of 
machines in a claimed process should 
not render the process patentable. 
Stewart agreed that the use of a con- 
ventional piece of technology for its 
conventional functionality should not 
change the patent calculus for claims 
mentioning them. 


A much more difficult set of ques- _ 
tions arises, however, with respect to | 


computers. Arguing for the PTO, Stew- 
art asserted that a programmed com- 
puter to carry out a claimed method 
would satisfy the machine-or-transfor- 
mation test. Several Justices did not 
find this argument persuasive. 

Justice Breyer, forinstance, expressed 
concern that if the Court accepted this 
view, then business methods such as 
Bilski’s could be easily become patent- 
able by mentioning use of computers to 
carry out the methods. This would un- 
dermine the Court’s clear intention that 
such methods not be patentable. 


transformed matter from one physical 
state to another, which utilized a com- 
puter program in conjunction with it. 

By the end of the oral argument, 
Stewart seemed to have convinced the 
Court that Bilski was not the appropri- 
ate vehicle for addressing the complex 
issues that computers raise. They will 
likely be left for another day. 


Conclusion 

Normally I would wait until the Court 
published its decision before writing 
a “Legally Speaking” column about it 
and its implications for computing pro- 
fessionals. Bilski was a rare instance in 
which the oral argument illuminated 
the Court’s views on the merits and 


clearly signaled the direction of the 


Justice Stevens contested the view | 


that a programmed computer was a 
new machine, given that the only new 
thing about the computer was a soft- 
ware process being run on it. 

Also unclear is what kinds of trans- 
formations will satisfy the test. Back 
in 1972, the Court called into ques- 
tion the patentability of processes that 
transform data in Gottschalk v. Benson. 
That case upheld the PTO’s denial of a 


patent for an algorithm for converting | 


binary coded decimals into pure binary 
form. The only software-related process 
that the Court has ever deemed patent- 
able—and that only by a 5-4 decision— 
was Diamond v. Diehr in 1981. Diehr 
involved a rubber-curing process that 


Court’s thinking about the reasoning it 
would use to justify its ruling. 

(Ishould confess, however, that one 
reason I decided to write about Bilski 
now is because it was a case in which I 
submitted an amicus brief in support 
of the PTO, and it was the first oral ar- 
gument before the U.S. Supreme Court 
I ever attended. It was such a thrill.) 

The Bilski ruling will likely be unani- 
mous. The only question is whether 
there will be one opinion or two or 
three. In some recent intellectual prop- 
erty cases, the unanimous opinion for 
the Court has been fairly short and 
straightforward, supplemented by con- 
curring opinions that express some Jus- 
tices’ views about issues not addressed 
in the main opinion for the Court. 

It would not surprise me if the Jus- 
tices did a little (unpatentable) horse 
trading in their post-argument confer- 
ence on Bilski under which they agreed 
to issue only one opinion in this case 
and to take a software-related patent 
subject matter case when the oppor- 
tunity arose, as it almost certainly will 
very soon. 

The patentability of software-relat- 
ed inventions has been hotly debated 
since the mid-1960s. There is still no 
resolution in sight. But the Court is 
focused on software-related patent is- 
sues again. So we can expect some sig- 
nificant developments in the next two 
or three years. 


Pamela Samuelson (pam@law.berkeley.edu) is the 
Richard M. Sherman Distinguished Professor of Law and 
Information at the University of California, Berkeley 
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Calendar 
of Events 


March 15-19 

Eighth International 
Conference on Aspect-Oriented 
Software Development 

Rennes and Saint Malo France, 
Contact: Jean-Marc Jezequel, 
Phone: 33299847192, 

Email: jeqzequel@irisa.fr 


March 16-18 

3" International Conference 
on Simulation Tools and 
Techniques 

Malaga, Spain, 

Contact: Luiz Felipe Perrone, 
Phone: 570-577-1687, 

Email: perrone@bucknell.edu 


March 18-19 

ACM International Workshop 
on Timing Issues in 

the Specification and 
Synthesis of Digital Systems 
TBA, CA, 


| Sponsored: SIGDA, 


Contact: Peng Li, 
Email: pli@tamu.edu 


March 22-24 

Eye Tracking Research 

and Applications 

Austin, TX, 

Sponsored: SIGCHI and 
SIGGRAPH, 

Contact: Carlos Hitoshi 
Morimoto, 

Phone: 55-11-3091-6499, 

Email: chmorimoto@gmail.com 


March 22-26 

The 2010 ACM Symposium 

on Applied Computing 

Sierre, Switzerland, 
Sponsored: SIGAPP, 

Contact: Sung Y. Shin, 

Phone: 605-688-6235, 

Email: sung.shin@sdstate.edu 


March 26-27 

Consortium for 

Computing Sciences 

in Colleges (CCSC) Midsouth 
Searcy, AR, 

Contact: Dr William M Mitchell, 
Phone: 317-392-3038, 

Email: willmitchell@ 
lightbound.com 


March 29-31 
International Conference 
on Multimedia 
Information Retrieval 
Philadelphia, PA, 
Sponsored: SIGMM, 
Contact: James Ze Wang, 
Phone: 814-865-7889, 
Email: jwang@ist.psu.edu 
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Computing Ethics 
The Ethics Beat 


Surveying the increasing variety and nature of ethical challenges 
encountered by computing researchers and practitioners. 


HAVE ASSUMED responsibility 

for the ethics column in Com- 

munications Viewpoints sec- 

tion. The Computing Ethics 

column will appear occasion- 
ally and provide an editorial focus pro- 
moting understanding and resolution 
of ethical issues of concern to people 
in the computing profession. This in- 
augural column has two goals: to pro- 
vide information about the center I 
run and to briefly highlight the work 
of two people who have contributed to 
ethics in the areas of computer science 
and engineering. 


I direct the Center for Engineering, | 


Ethics, and Society (CEES, http://www. 


nae.edu/ethicscenter) at the U.S. Na- | 


tional Academy of Engineering (NAE). 
The NAE is part of The National Acad- 
emies, a federally chartered member- 
ship organization that advises the U.S. 
on science, engineering, and medicine. 
The NAE launched CEES in 2007 with 
support from member Harry E. Bovay, 
Jr.; the Bovay grant provides core fund- 
ing through 2011. CEES examines and 
helps to resolve societal and ethical is- 
sues through workshops, conferences, 
research, and education. 

CEES manages the Online Ethics 
Center (OEC) at the NAE (www.on- 
lineethics.org). OEC provides profes- 
sionals and students in science and 
engineering with resources for under- 
standing and addressing ethically sig- 
nificant problems that arise in their 
work. It promotes learning and advanc- 
es the understanding of responsible re- 
search and practice. CEES is currently 
revamping the OEC with support from 


the U.S. National Science Foundation | 
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(NSF) that began in May 2009. Site im- | 
provements will provide assistance to 
principal investigators and academic | 
institutions regarding new require- 
ments for ethics instruction in the 


American COMPETES Act of 2007. The 
People section explains how you can 
contribute, and you can use the Ask-Us 
link in that section to ask questions. 


Workshops 

The NSF recently provided support for 
CEES to hold a workshop on Ethics 
Education in Scientific and Engineer- 
ing Research: What’s Been Learned? 
What Should Be Done? (See the report 
by that title from National Academies 
Press, 2009; http://books.nap.edu/ 
catalog.php?record_id=12695). CEES 
worked with its advisory group and the 
National Research Council’s Division 
on Policy and Global Affairs and the 
Academies-wide Committee on Sci- 
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ence, Engineering, and Public Policy to 
develop the project. 

At the meeting, participants ar- 
ticulated the following assumptions. 
Competitive and complex research 
environments pose increasing ethical 
challenges for research scientists and 
engineers. Interdisciplinary and inter- 
national participation require crossing 
of cultural boundaries, and the close 
coupling of commerce and academia 
can create difficulty in recognizing the 
right thing to do. Gaps remain in ethics 
education, and itis difficult to measure 
the effectiveness of existing programs. 

Charles Huff, Department of Psy- 
chology, St. Olaf College, has a long- 
standing research interest in identify- 
ing and evaluating ethical professional 
behavior. At the ethics education meet- 
ing he reported results of research in- 
volving numerous collaborators and 
sources of support. Huff’s team used 


ILLUSTRATION BY YAREK WASZUL 


interviews and documentary materi- 
als to study two types of morally exem- 
plary individuals in computing: those 
oriented toward craft (for example, 
computer accessibility for disabled us- 


ers); and those oriented toward reform | 


(for example, computing and privacy). 
These types represent different moral 
ecologies, which are environments in 
which individuals can develop ethically 
exemplary careers. Characteristics in a 
“model” of ethical performance over 
time include “moral ecologies, indi- 
vidual personality, relevant skills and 


knowledge, and the integration of mo- | 
| for upcoming events). Copies of the 


rality into the individual self.” 

By understanding such complexi- 
ties it is possible to assess the limita- 
tions in approaches to ethics edu- 
cation that focus only on individual 
decision points. Training in the skills 
and knowledge necessary to address 
particular ethical issues in research 
provides important guidance for 
analysis of particular situations, but it 
cannot inoculate individuals against 
questionable practices. A performance 
approach requires the evaluation of 
professional ethical behavior over the 
course of a career, and encourages an 
ethics perspective that goes beyond 
compliance toward the development 
of ethical ideals. For more information 
see http://www.stolaf.edu/people/huff/. 

Ideas emerging from the workshop 
include: 

> Context: Academic _ institutions 
should show they have established wide- 
ranging programs to stimulate and re- 
ward ethically appropriate behavior. 

> Learning: Student participation 
should be mandatory and a repository 
of information about best practices 
should be created with a plan for dis- 
semination of these materials to col- 
leges and universities. 

> Criteria for programs and activities: 
Successful programs involve research 
faculty using case studies and interac- 
tive formats supplemented with appro- 
priate online materials. 

> Interactivity: Students have a facili- 
ty for accessible and interactive online 
resources. Ethics-focused instruction- 
al materials must reflect this. 

> Mentoring: Science and engineer- 
ing faculty and faculty with ethics edu- 
cation responsibilities should work 
together on mentoring postdoctoral 
fellows and graduate students at the 


dissertation level. 


> Evaluation: Appropriate agencies | 


should fund a workshop to develop 
evaluation criteria and measures for 
ethics education in science and engi- 
neering curricula. 

> Social responsibility and responsible 
conduct of research: Support should be 
given to programs that creatively teach 
ethics and the social responsibilities 
of science and engineering, as well as 
the responsible conduct of research. 

CEES is planning panels at several 
professional society meetings on this 
topic (see www.nae.edu/ethicscenter 


workshop report will be available at the 
meetings and free online at the Web 
site of the National Academies Press. 
Another important topic examined 
by CEES is the relationship between 
engineering and social and environ- 
mental justice, and sustainability. Engi- 
neers sometimes get caught in conflicts 
that arise between different positive 
goals; for instance, when humanitar- 


ian efforts reinforce status inequali- _ 


ties or environmental degradation. In 
2008, with partial support from NSF, 
CEES and the Association for Practical 
and Professional Ethics (APPE) spon- 
sored a workshop titled “Engineering, 
Social Justice, and Sustainable Com- 
munity Development.” This workshop 
brought together engineers and schol- 
ars from Science and Technology Stud- 
ies (STS) to consider improvements 
in engineering ethics, engineering 
practice, and engineering education. 
Engineering and social justice were 
hotly contested at the meeting, while 
engineering and humanitarianism, 
engineering and social responsibility, 
and engineering and environmental 
justice were less controversial. 

Kevin Passino of the Department 
of Electrical Engineering at The Ohio 
State University participated in this 
workshop. He argued that educating 
engineers who take on volunteer work 
is a responsibility for engineering 
educators, and that fulfilling that re- 
sponsibility requires the following: 

> Putting more emphasis on ethics 
and professionalism in the curriculum; 

> Encouraging hands-on volunteer- 
ism via student organizations; and 

>» Promoting __ service learning 
through community-oriented design 
projects. 
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Infrastructure Development 

Developing the academic infrastruc- 
tures that can encourage and support 
engineering volunteerism is a signifi- 
cant challenge. Passino noted that the 
definition of a profession has always 
included public service. Applied to the 
engineering disciplines, this defini- 
tion implies that some portion of the 
engineering community must focus 
on serving society. Not every engineer 


| must satisfy this criterion, but the pro- 


fession as a whole must. 

Passano provided examples of class 
assignments for teaching ethics and 
professionalism in the design of proj- 
ects that meet community design con- 
straints or address global issues, and 
research papers on subjects such as 
assessment of corporate citizenship 
programs and engineering volunteer- 
ism projects, evaluating codes of eth- 
ics, and soon. 

To accomplish such goals, Passino 
argued for an infrastructure that goes 
beyond academia to involve profes- 
sional organizations, government, and 
industry. He discussed as an example 
ECOS (Engineers for Community Ser- 
vice), a student-run organization at The 
Ohio State University that links stu- 
dents with sponsors of local and inter- 
national service projects that promote 
professionalism. 

For more about the ECOS-spon- 
sored activities, see www.ecos.osu. 
edu for project descriptions; for more 
about his activities, see www.ece.osu. 
edu/~ passino/. 

Participants in the 2008 workshop 
on engineering and social and envi- 
ronmental justice, and sustainability 
agreed the discussion should contin- 
ue at the 2010 APPE Annual Meeting, 
through a mini-conference titled “En- 
gineering Towards a More Just and 
Sustainable World.” Those interested 
in attending can learn more by check- 
ing the CEES or APPE Web sites. 

Iintend to explore ethics from many 
perspectives in future installments of 
this column and encourage and wel- 
come any suggestions readers wish to 
provide. C 


Rachelle Hollander (rhollander@nae.edu) is the director 
of the Center for Engineering, Ethics, and Society at the 
U.S. National Academy of Engineering in Washington, D.C. 
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The Profession of IT 
Orchestrating Coordination 
in Pluralistic Networks 


Learning to build virtual teams of people 
of diverse backgrounds is an urgent challenge. 


ONG THE BANE Of organiza- 
tions and teams, coordina- 


tion breakdowns can be ex- | 
pensive, wasteful, mission | 
killing, and sometimes life | 


threatening. They manifest as mis- 
communication, misunderstandings, 
ill-timed actions, wasted motion and 
resources, and performance-killing 
bad moods. A plethora of coordina- 
tion technologies seeks to overcome 
these problems and enable virtual 
teams, but coordination breakdowns 
have become more common and more 
severe in virtual teams. Exquisite coor- 
dination, which separates high perfor- 
mance teams from the rest, is an ever 
more elusive goal. 


The core of the challenge is that the | 


team members are drawn from plu- 
ralistic networks—people from differ- 


ent countries, cultures, backgrounds, 


worldviews, and practices. This diver- 


sity of value sets makes coordination | 


all the more difficult. 
Recent disasters have made the 
pluralism issue publicly visible. De- 


spite all the good they did, the groups | 


gathered for humanitarian assistance 
encountered systemic inabilities of 
government and non-government or- 
ganizations to coordinate well, leading 
to delayed responses, wasted resourc- 
es, and additional lost lives. Examples 
appeared during the 9/11 attack in 
New York City, the 2004 tsunami in 
the Indian Ocean, and the 2005 Hur- 
ricane Katrina in the U.S.” 

Disaster relief teams have an addi- 
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tional problem: they are often under 
overwhelming stress. The tendency 
of teams to move toward dysfunction 
under stress regularly deepens disas- 
ters, loses wars, and sinks companies. 
Pluralistic worldviews exacerbate the 
stress because they add obstacles to 
coordination when there is no time to 
deal with them. 

Interestingly, it appears that com- 
puting people have a great deal to con- 
tribute to the solution of this problem. 
They know how to design and build 
computational tools that facilitate 
conversational protocols, and collect, 
analyze, and present complex data in 
a form that facilitates decision-mak- | 
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ing. Prototypes of these tools appear 
in MMOGs (massively multiplayer on- 
line games). The challenge for com- 
puting people is to help understand 
the coordination skills for pluralistic 
networks and then design tools to en- 
able diverse communities to quickly 
form effective teams. We will discuss 
the latest in a series of experiments we 
conducted with the World of Warcraft 
(WOW) game that leads us to be opti- 
mistic about this possibility. 


The Changing Context 

Most of us have enjoyed a tradition of 
working in organizations with clear 
chains of command in fairly homog- 
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enous communities. This tradition, 
which might be called “hierarchical 
uniformity,” is no longer valid for 
many groups. Instead, many groups 
are confronted with what might be 
called “diversified nonuniformity.” 
In this context, teams are multicul- 
tural, deadlines are short, actions are 
automatic (nonreflective), decision 
making is distributed, leadership is 
earned, performance assessment is 
purely merit based, in-person meet- 
ings are infrequent, resources are in- 
sufficient, information is overwhelm- 
ing, and sensory data is conflicting. 

It is no surprise that hastily formed 
networks for disaster relief are fertile 
grounds for miscoordination: they vio- 
late the tradition dramatically.’ Partic- 
ipants from hierarchical uniform or- 
ganizations have little need to practice 
coordination in pluralistic networks. 


When they convene in such a network, | 


they are unprepared to work together. 

The hierarchical uniform tradition 
goes hand in hand with three other be- 
liefs about effective teams. One is the 
notion of “best practices”: the lead- 
ership finds a “best” way to do some- 


thing and requires everyone to do it | 


that way. In our experience, this no- 
tion is incompatible with pluralistic 
networks. There is no one “best way” 
fora diversified team to accomplish its 
mission. It must adapt and flow witha 
constant stream of new possibilities. 

Second is relativism, the notion 
that all team member worldviews are 
equally valid and, hence, the common 
ground must be found in the absence 
of universal values. We believe, to 
the contrary, that there are universal 
values. Seven of them motivate the 
practices we recommend below. For 
example, asking for and receiving 
binding commitments is universal, 
although the style of making requests 
and promises varies among cultures. 
Another example is that everyone be- 
lieves in “do not kill any person,” al- 
though many do not hesitate to kill 
those whom their culture defines as 
“non-persons.” 

Third is team stages of development, 
the notion that teams move through 
the stages that Bruce Tuckerman called 
“forming, storming, norming, and 
performing.”® This is useful guidance 
for leaders of relatively homogenous 
teams. In pluralistic networks, the for- 


The main issue of 
pluralistic networks 
is that the members 
bring different values 
and do not see the 
world the same way. 


mation of leadership itself becomes a 
central concern. There is no externally 
appointed leader who can guide the 
team through those four stages. The 
team’s emergent leadership must do 
this by itself. The possibilities of mis- 
communication and dramatic mood 
shifts are constant threats. 


Practices for Diversified 
Coordination 
We have been conducting experiments 
to understand a small but important 
piece of the problem: What practices 
do small teams need to function well 
in a pluralistic network? Answering 
this question is the first step toward 
building helpful computational tools. 
The main issue of pluralistic net- 


| works is that the members bring dif- 


ferent values and do not see the world 
the same way. We have investigated 


whether there are universal values 


that would bridge the diversity, gen- 
erate mutual respect, and support ev- 
eryone’s dignity. We have found seven 
universal values and associated prac- 
tices that realize them in the team: 

1. Proficiency in a practice essential 
to the team; 


2. Capacity to articulate a vision of | 


the team’s value in the world that oth- 
ers embrace and commit to; 

3. Capacity to enter into binding 
commitments and fulfill them; 


4. Capacity to spot and eliminate | 


waste; 

5. Capacity to share onthe spot, real- 
time assessments of performance, for 
the sake of building and maintaining 
trust, including disclosures of moods 
and emotions inspired by the environ- 
ment and action of the team; 

6. Capacity to observe one’s own 
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history and how it interacts with the 
histories of the others on the team; 
and 

7. Capacity to blend, meaning to 
dynamically align one’s intentions, 
movements, and actions with those of 
others. 

Research and experience support 
the hypothesis that these practices 
constitute the essential core for coor- 


| dination in pluralistic networks. For 


example, Womack and Jones" pro- 


| mote “lean thinking,” a practice of see- 


ing and eliminating waste. Gladwell’ 
reports on how airlines discovered 
that most accidents could be traced 
to cross-culture miscommunication 
in the cockpit; accidents dropped sig- 
nificantly after the airlines put pilots 
through multicultural communica- 
tion training. Multicultural group pro- 
cesses such as the Barrett-Fry Appre- 
ciative Inquiry! and the Straus-Layton 
method’ have been very successful at 
developing shared interpretation and 
solidarity in pluralistic communities. 
Strozzi-Heckler® reports that Leader- 
ship practices for making assessments 
and blending have been very effective 
for teams and groups. Tuomi’ con- 
cluded that loosely formed volunteer 


| networks of collaboration frequently 


fall into practices like these. 


An Experiment 
We recently completed a four-month 
experiment to examine whether an 
MMOG could be used as a learning 
environment for the core practices 
listed here. The diversified group con- 
sisted of 28 people who did not know 
each other. They came from about 
half a dozen countries and varied pro- 
fessional backgrounds. The MMOG 
was the WOW game. We chose WOW 
because it is an amazingly complex 
synthetic world created by a social 
machine from the interactions of mil- 
lions of players. John Seely Brown and 
Douglas Thomas have already brought 
WOW to the attention of the business 
community as a possible training 
ground for leadership.*® 

Within the WOW context, it is pos- 
sible to define precisely what it means 
for a small team to be proficient by ex- 
tending the Dreyfus definitions® from 
individuals to teams. The definitions 
enable us to measure the progress of 
teams toward proficiency. The game 
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guides players gradually up a hierar- 
chy of 80 levels, starting from the nov- 
ice level 1. Every quest (exercise) in the 
game is rated for the level of players 
allowed to undertake it. 

Players who reach a sufficient level 
may team with others in groups for 
raids into “dungeons” that house 
powerful denizens (called “bosses”) 
that cannot be defeated by individu- 
als. Successful raids are a measure of a 
team’s coordination proficiency under 
pressure. We measured team learning 
proficiency by the number of success- 
ful raids at each level of difficulty, and 
by the new actions team members 
were applying to their daily lives. 

Each player satisfied the first prac- 
tice on the list above by attaining a 
sufficient game level. We set up gen- 
eral team practices for the remainder 
of the list. Observers accompanied the 
teams in-game to monitor their coor- 
dination and coach them on their use 
of the general practices. The observer 
made sure that the team paused peri- 
odically to share their moods and hon- 
est performance assessments (prac- 
tice 5 on the list); this enabled them to 
regenerate their shared interpretation 
of what they were doing. 

On completion of each in-game 
assignment, the teams debriefed in 
a standard after-action assessment 
exercise to critique each other’s per- 
formances, reflect on their overall ef- 
fectiveness, and plan new strategies 
for their next assignment. They also 
reflected on how the coordination 
practices they were learning would ap- 
ply in their real-life worlds. 

Some in-game assignments were 
team raids to defeat high-level bosses. 


Avatar used in team-building experiment. 
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One of the bosses was so tough that 
there was no hope for any team to 
survive; the purpose was to see how | 
the teams handled their moods when 
faced with an impossible situation. 

We observed that the general co- 
ordination practices were initially 
unfamiliar to most team members. 
Even after the first month of working | 
together, many members had diffi- | 
culties voicing assessments of their 
teammates. Slowly they learned that 
sharing performance assessments 
was progressively easier with practice 
and they overcame their aversions. 
Over time, the regular practice of mak- 
ing these assessments ceased to em- 
barrass or to generate hard feelings. 
Because acting on these assessments 
significantly improved their team suc- 
cess the teams came to value them. 
Their mutual respect, solidarity, and 
team effectiveness improved mark- 
edly. By the end of the four months, 
teams openly wondered why they 
had not been using these practices at 
work. 

In the first two months, only one of 
the six teams achieved solidarity and 
clear proficiency. We then shuffled the 
team members into new teams for the 
next two months. This time, all teams 
achieved solidarity and proficiency. 

The experiment validated our intu- 
ition that the general practices foster | 
proficient diversified coordination. 


Conclusion 

The inability to achieve proficient co- 
ordination in pluralistic networks is a 
real problem. It is becoming worse as 
the global Internet creates more con- 
nections and more opportunities for | 
people to work together across inter- 
national and organization boundaries. 
Disaster relief experiences have called 
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wide attention to the problem, and 
have stimulated research into what is 
needed for coordination in pluralistic 
networks. 

The universal values of articulating 
visions, making and fulfilling com- 
mitments, eliminating waste, sharing 
performance assessments, disclos- 
ing moods, observing histories, and 
blending, underlie an enabling core 
of general team practices that lead 
to proficiency at pluralistic coordina- 
tion. The MMOG game environment is 
ameans of engaging teams in complex 
tasks requiring sophisticated use of 
these practices in a synthetic world. 

Preliminary examples of compu- 
tational tools to facilitate these prac- 
tices can be seen already in the WOW 
game environment. Numerous  in- 
terface add-ons present situational 
information in easy-to-interpret for- 
mats. Group forming tools make the 
process of creating diversified teams 
ridiculously easy. Voice-over-IP tools 
facilitate group conversations for co- 
ordination. 

Despite the preliminary nature of 
these conclusions, the results are suf- 
ficiently intriguing to warrant a wider 
discussion of how computing profes- 
sionals can help with this important 
problem. iC 
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Richard Tapia 


Broadening Participation 
Hiring and Developing Minority 
Faculty at Research Universities 


Emphasizing the importance of creating more programs and investing more 
funding toward the goal of developing minority faculty at research universities. 


tainly not those of us who sit 


faculty meetings as the only 
underrepresented minority 


in the room, by Donna Nelson’s recent | 


study results—the second edition of 
which was released this January'—of 
tenured and tenure track faculty in the 
top science and engineering depart- 
ments (as ranked by the U.S. National 
Science Foundation according to re- 
search funds expended.). Nelson con- 
cludes “There are relatively few tenured 
and tenure-track underrepresented mi- 
nority (URM) faculty in these research 
university departments, even though a 
growing number and percentage of mi- 
norities are completing their Ph.D.s. 
Qualified minorities are not going to 
faculties of many science and engi- 
neering disciplines.” While computer 
science had the lowest percentage of 
URM professors in 2002, other disci- 
plines, noticeably math and physics, 
grew increasingly worse in the ensu- 
ing five years to equal this distinction 
(see http://chem.ou.edu/~ djn/diversity/ 
Faculty_Tables_FY07/07Report.pdf for 
the complete data set from the second 
edition of the report). 


Importance of Minority Faculty 

at Research Universities 

Nelson makes a strong point in her re- 
port on the importance to the university 
and to the discipline of having minority 
faculty. She says, “Dearth of minority 
faculty at a university or in a discipline 


0 ONE was Surprised, cer- | 


in science and engineering | 


Richard Tapia at the Tapia Celebration of Diversity in Computing, April 2009. 


discourages minority students from 
selecting that university or discipline, 
since most students are comfortable 
in environments that include people 
with backgrounds and characteristics 


similar to theirs.”' Students who do | 


choose the discipline need role models 
and mentors to inspire, motivate, and 
encourage them. 

Over the years at Rice University, I 
have directed or co-directed 23 URMs 
or women Ph.D. doctoral recipients 
in Computational and Applied math- 
ematics and lead an NSF Alliance for 
Graduate Education and the Profes- 
soriate (AGEP) with approximately 65 


URM students from across science and | 
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engineering. Each year I teach an ad- 
vanced-level class in optimization theo- 
ry in the engineering division. Minority 
students from the various engineering 
disciplines are invariably drawn to my 
class. They seem to be motivated to per- 
form well, and usually do. Often a mi- 
nority student is at the top of the class 
even though there are many excellent 
non-minority students in the class. A 
few years ago, I had 24 students in class 
and 12 were minority. Just think: 50% 
of the students in an advanced level 
class at a Tier 1 Research School were 
minorities. 

As minority faculty we serve as role 
models in two directions. We demon- 
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ACM's 
interactions 
magazine explores 


Critical relationships 

between experiences, people, 

and technology, showcasing 
emerging innovations and industry 
leaders from around the world 
across important applications of 
design thinking and the broadening 
field of the interaction design. 

Our readers represent a growing 
community of practice that 

is of increasing and vital 

global importance. 
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| strate feasibility to the minority stu- 
dents and show the non-minorities 
that we as minorities can be excellent 


| derstanding in components that non- 
minority faculty members cannot. 
_ IT want to make what I believe is an 
often-overlooked critical point about 
the importance of minority faculty at 
our best research universities. Leader- 
ship in science and engineering comes 
from top research institutions. I be- 


ship has been possible because I ama 


ty with respected research credentials. 
I am often asked to speak to research 
university presidents, faculty mem- 
bers, and national government leaders 
about representation. They listen to 
me because they know that I have been 
there. We must have strong faculty 
representation at the nation’s leading 
universities in order to produce high 
quality URM scientists. Consequently, 
I strongly encourage us to create more 
programs and invest more funding 
with the goal of developing minority 
faculty at research universities. 


| What Won't Work 

| There is a growing movement for Mi- 
nority Serving Institutions (MSIs) to de- 
velop Ph.D. programs, but Ph.D.s pro- 


_ duced at MSIswill not become faculty at — 


top research universities. Top research 
universities choose faculty from Ph.D.s 


am extremely concerned that this will 
produce a permanent underclass. If we 
underrepresented minorities are ever 
to be an equitable presence as faculty 
at our top-level schools, then our stu- 
dents must be schooled at those same 
institutions. This is a hard statement 
for me to make. I have great friends at 
MSIs for whom I have great admira- 
tion. Their students speak warmly of 
how confident and supported they felt 
in their experiences there. Research 
universities should learn from them 
_ howto nurture that kind of confidence, 
| but MSIs should not expect to produce 


that more than a hundred years of in- 
vestment has produced at the nation’s 
top research universities. More about 


of Higher Education article, “Minor- 
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teachers and faculty. We promote un- | 


lieve that much of my national leader- | 


produced at top research universities. I _ 


| graduate programs of the same caliber | 


faculty member ata respected universi- | 


this topic can be found in my Chronicle 


ity Students and Research Universities: | 


How to Overcome the ‘Mismatch’.”? 

Also, filling faculty positions with 
foreign scholars—even those who are 
black, brown, or Spanish-speaking — 
does little to solve the problem of uni- 
versities’ lack of success with Mexican- 
American, Puerto Rican, and_ black 
youth from across the U.S. People from 
places like Africa, Spain, or Latin Amer- 
ica cannot be effective role models or 
mentors for African-Americans and La- 
tinos who grew up in the U.S. In fact, it 
is not unusual for those scholars to view 
their domestic-minority counterparts 
negatively and to strongly resist being 
identified with them. Many interna- 
tional students were admitted to gradu- 
ate school in the U.S. because they were 
highly competitive and the best students 
of their nations. Often the products of 
early academic tracking, they have had 
strong educational foundations and in- 
tense, specialized study in their fields. 

Also, foreign scholars were not 
viewed as racially or ethnically different 
in their countries of origin and, from 
their formative years on, made to feel 
they were second-class citizens who did 
not belong in higher education or in 
leadership positions. So when we make 
those hires, we must understand that 
we are not doing our part to increase 
participation, or provide role models. 
A fuller development on this topic can 
be found in my Chronicle of Higher Edu- 
cation article, “True Diversity Doesn’t 
Come From Abroad.” 

Another mistake we often make is 
of exclusively working up the ladder 
rather than also starting at the top and 
working down: starting with K-12 to in- 
crease the pool of bachelor’s degrees in 
science and engineering, for example. 
As a long-term solution, this is neces- 


lr 
The post-doc position 
may be the most 
critical step in either 
making or breaking 

a successful future 

in the academy. 


sary, but we can’t wait for the next gen- | 


eration; we need to do something now 
that will have an immediate impact. 


What Will Work 

Universities have the responsibility to 
hire and promote minority faculty mem- 
bers, and ifwe take the role seriously, we 
could make a significant improvement 
over the next five years. Here are some 
steps that I think we need to take: 

Put qualified people in strong post- 
doctorate positions. Graduate research 
advisors must take a role in finding a 
strong post-doc position for students 
with potential. After receiving my Ph.D. 
from UCLA, I was guided by David San- 
chez, the only underrepresented mi- 
nority faculty member at that time in 


the UCLA Mathematics Department, to | 


a post-doctoral position at the Universi- 
ty of Wisconsin. This intervention and 


guidance was probably the most im-_ 


portant in my entire professional life. 
At Wisconsin, I was very fortunate that 
I got to work with some of the finest 
mathematicians in my area. I was fully 
integrated into the research program. 
Graduate advisors must elicit acommit- 
ment of that kind of relationship from 
the post-doc advisor and then check to 
see that it is happening. The post-doc 
position may be the most critical step 
in either making or breaking a success- 
ful future in the academy. 

Reexamine hiring criteria. When top 
level departments hire new faculty, 
their number one criteria is the candi- 
date’s potential to be the next Gauss or 
Turing. What we assess when we hire 
is not what we expect or need of all fac- 


ulty. I will illustrate this point with a | 


story. A few years back I was invited to 


the University of California Berkeley as | 


a Regents Lecturer. I gave five different 
talks in five days. In my university-wide 
talk on diversity, I included a segment 
entitled “Why the Berkeley Math De- 
partment Would Never Hire Me.” The 
reason is that my potential for winning 
a Fields Medal in Mathematics is low, 
even though I have performed solid 
research that would get me tenure at 


essentially any university including | 


Berkeley. As I went from talk to talk the 
minority graduate students followed 
me around like I was the Pied Piper of 
Hamelin. I told them that my next talk 
really was not for graduate students. 
They said they did not care and just 


ee 
We can’t wait for 

the next generation; 
we need to do 
something now 

that will have an 
immediate impact. 


wanted to interact with me. Simply — 


stated, I would give Berkeley more than 
99% of their faculty in the broad and 
complete sense. Of course, I would be 
promoted; I would give in so many com- 
ponents that the university values. At 


universities like Berkeley, the promo- | 


tion criteria are much broader than the 
hiring criteria, and this is good for the 
university and the nation. 

At Rice in 2005 I was appointed Uni- 
versity Professor, an honor bestowed 
upon only six individuals, including two 
Nobel Laureates, in its 100-year history. 
However, I did not gain this distinction 
for my research alone, but primarily for 
contributions in the other dimensions 
I have discussed. When I gave my ac- 
ceptance speech I thanked Rice for be- 
ing sufficiently progressive to allow me 
to do it my way. I stated that I hope this 
example serves to show young faculty 
members that there are various paths 
to the same place, not just one, and the 
other more non-traditional paths are 
important. The Berkeley Math Depart- 
ment would greatly benefit from hiring 
someone like me, but they are unwilling 
to break their traditional hiring culture. 
And Berkeley is of course, representa- 
tive of other universities that follow the 
same course of action in hiring. 

Mentor young faculty. The Nelson data 
shows a loss as members go through 
the tenure process, a heartbreaking 
failure. It is wrong to assume that begin- 
ning faculty members will understand 
faculty culture and what is expected of 
faculty members. They need someone 


who will be forthright with them about | 


departmental expectations. Someone 
must warn them of the danger of be- 
ing enticed away from research by too 
much leadership or outreach too soon. 
This mentoring must be proactive. 
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Young minority faculty members fre- 
quently will not ask for help or express 
concern that there is any problem with 
_ their progress. A few years ago, the Rice 
Sociology Department denied tenure to 
a young minority woman claiming that 
_ her as yet unpublished book on minor- 
ity K-12 education was not up to par 
with their standards. Yet this book when 
| published was extremely well received 
_ and allowed her to be hired with tenure 
at an excellent Tier 1 University. In talk- 
ing to this woman, she told me she was 
shocked by the decision and thought 
the department was most happy with 
her research. She had not had sufficient 
communication with her chair. The loss 
to Rice was huge; this young woman was 
the primary mentor of Rice minority 
| women undergraduates across campus. 
Many a tear was shed and much anger 
felt when she left. In another case, a 
minority faculty member was denied 
tenure because he had extremely poor 
_ teaching evaluations. He was hired 
from industry, and his research was sol- 
id, but he had not been sufficiently well 
mentored on the need for good teach- 
ing. Rice lost a valuable faculty member 
who could have been saved with proper 
mentoring. Just as industry has for new 
executives, many departments are now 
making new faculty mentoring a formal 
| responsibility of caring senior faculty 
members, and more need to do so. 

We often lament the condition of 
representation without providing sug- 
gestions for making changes. I hope 
the suggestions I’ve made here might 
be the impetus for discussions in de- 
partments across the U.S. I am keenly 
interested in this process and welcome 
participation in a national effort to 
improve representation of university 
science and engineering faculty. 
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Making the Case 
for Computing 


Seeking funding for current and future computing initiatives requires 
botha strong argument and a broad community of supporters. 


HEN IT COMES to dis- 
tributing trillions in 


U.S. taxpayer dollars, | 


funding for science 

joins a crowded field 
of special interests where competi- 
tion for federal funding is fierce. Poli- 
cymakers are ultimately stewards of 
taxpayer dollars and must make judg- 
ments about the areas in which gov- 
ernment has a legitimate reason to 
invest. And because tax dollars are not 
limitless, policymakers must prioritize 
federal investments, deciding which 


programs or which agencies have the | 


most compelling need for funding. 
Consequently, every special in- 
terest—from researchers to  road- 


builders, health care professionals 
to hovercraft manufacturers—has an 
advocacy group urging policymakers 
to focus federal investment in their 
particular area. What ties all of these 
groups together is the need to have a 
story—a case to make to Congress, 
the Administration and the American 
people—that justifies the expenditure 
of those tax dollars on the things they 
care about. 


Funding Decisions 
The stakes are high. Last year (fiscal 
year 2009), the U.S. discretionary bud- 


| get—that is, the amount not automati- 


cally committed to federal programs 
like Social Security or Medicare—was 


just over $1 trillion. Congress spent 
that money, as it does every year, by 
parceling it out to federal agencies 
and programs in 12 separate pieces 
of legislation. This is quite literally a 
zero-sum game. Aggregate spending 
by Congress is capped, and each of 
these 12 appropriations bills has its 
own spending cap. This means that 
once the spending caps are reached— 
and they always are—any additional 
increase in spending for one program 
must be offset by an equal reduction 
in another program. 

As a result, policymakers find the 
need to invest in fundamental re- 
search in competition with the need 
to fund agricultural subsidies, or the 


Government funding for computing research is tight and the competition plentiful. A new infrastructure for computational oceanography 
incorporating the VisTrails system created by the University of Utah was among the scientific projects receiving support from The National 
Science Foundation’s Cluster Exploratory (CluE) program in 2009. 
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need to support ongoing military ef- 
forts in Afghanistan and Iraq, or the 
need to fund sewer projects in their 
own districts. In fact, it is more stark 
than that, because Congressional 


rules stipulate that any increase to a | 


program in one of the 12 appropria- 
tions bills must be offset by a decrease 
to a program in that same bill. So, ad- 
ditional increases in spending for fed- 


eral science agencies like the National | 


Science Foundation or the National 
Institutes of Standards and Technol- 
ogy may result in cuts to another sci- 
ence agency like the National Oceanic 
and Atmospheric Administration, or 
to a program to subsidize bulletproof 
vests for local law enforcement, or to 
the Census Bureau, because they all 
reside in the same bill. 

So just like any other special inter- 
est group, advocates for science— 
advocates for a greater federal invest- 
ment in fundamental research, and in 
particular, for computing research— 
have had to learn to make a case 
compelling enough to survive in this 
competition for funding. But unlike 
other special interest groups, science 
advocacy groups like the Computing 
Research Association or ACM’s U.S. 
Public Policy Committee compete at a 
disadvantage because we lack (due to 
legal restrictions and organizational 
cultures) political action committees 
(PACs) to contribute to the campaigns 
of members of Congress or vast re- 
sources to fly congressional delega- 
tions out to exotic locales on fact-find- 
ing trips. Our success is based solely 
on the strength of our arguments and 
an active community making them. 

While we are limited in the tools 
of influence, we have a powerful case. 
Fundamental research in information 
technology has led to tangible break- 
throughs that have created entire new 
industries, driven economic growth, 
and developed deep and productive 
relationships between industry and 
universities. 


Computing Advances 

Advances in computing have changed 
all aspects of our lives: how we con- 
duct commerce, how we learn, our 
employment, our health care, how we 
manufacture goods, how government 
functions, how we preserve our na- 
tional security, how we communicate, 


| Computing facilitates 


innovation because 
a vital IT R&D 
ecosystem enables 
innovation within 
IT itself. 


and how we’re entertained. 

Advances in computing drive 
our economy—not just through the 
growth of the IT industry, but also 
through productivity gains across the 
entire economy. Recent analysis sug- 
gests that the remarkable economic 
growth the U.S. experienced between 
1995 and 2002 was spurred by an in- 
crease in productivity enabled almost 
completely by factors related to IT.’ 
The processes by which advances in 
information technology enable pro- 
ductivity growth, enable the economy 


to run at full capacity, enable goods | 


and services to be allocated more effi- 
ciently, and enable the production of 
higher quality goods and services are 
now well understood.' 

Advances in computing enable 
innovation in all other fields. In 
business, advances in IT are giving 
researchers powerful new tools, en- 
abling small firms to significantly 
expand R&D, boosting innovation by 
giving users more of a role, and letting 
organizations better manage the exist- 
ing knowledge of its employees.’ In 
science and engineering, advances in 
IT are enabling discovery across every 
discipline—from mapping the human 
brain to modeling climatic change. 


lems that are ever more complex and 
interdisciplinary in nature, are using 
IT to collaborate across the globe, and 
to collect, manage, and explore mas- 
sive amounts of data. Computer mod- 
eling, visualization, and data analysis 


have joined observation, theory and | 


experiment as the drivers of scientific 
discovery. 

Advances in computing continue 
unabated. Worldwide, there has been 
no slowdown in the pace of innova- 
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tion, the production of new ideas, the 
discovery of additional opportunities 
to advance products and services for 
society. 

Thus, leadership in computing is 
essential to the U.S., economically and 
socially. 


_ Future Opportunities 


While the history of computing-re- 
lated contributions to shaping our 


_ world is a compelling topic, future 


opportunities in computing—where 
the field might go and what problems 
it might tackle—are perhaps even 
more compelling. Whether it’s creat- 
ing the future of networking, revolu- 
tionizing transportation, delivering 
personalized education, enabling the 
smart grid, empowering the develop- 
ing world, improving health care, or 


| driving advances in all fields of sci- 


ence and engineering—all national 
priorities—computing has key contri- 
butions to make and key roles to play. 
In March 2009, the National Academy 
of Engineering unveiled 14 “Grand 
Challenges for Engineering” for the 
21st century (see _ http://www.engi- 
neeringchallenges.org/). The majority 
of these—the majority of the “Grand 
Challenges” for all of engineering— 
have either substantial or predomi- 


| nant information technology content: 


» Secure cyberspace 

> Enhance virtual reality 

> Advance health information sys- 
tems 

> Advance personalized learning 

» Engineer better medicines 

> Engineer the tools of scientific 
discovery 

> Reverse engineer the brain 

» Prevent nuclear terror (to a great 
extent a sensor network and data min- 
ing problem) 


| And there are many more information 
Researchers, faced with research prob- | 


technology challenges of equally high 
impact: 

> Create the future of networking 

> Empower the developing world 
through appropriate information and 
communication technology 

> Revolutionize transportation safe- 
ty and efficiency 

> Build truly scalable computing 
systems, and devise algorithms for ex- 
tracting knowledge from massive vol- 
umes of data 

> Engineer advanced “robotic pros- 
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thetics” and, more broadly, enhance 
people’s quality of life 

> Instrument your body as thor- 
oughly as your automobile 

» Engineer biology (synthetic biol- 
ogy) 

» Revolutionize our electrical ener- 
gy infrastructure: generation, storage, 
transmission, and consumption 

> Achieve quantum computing 

It is impossible to imagine a field 
with greater opportunity to change the 
world. 

Computing facilitates innovation 
because a vital IT R&D ecosystem en- 
ables innovation within IT itself. At 
the heart of this ecosystem is federally 
sponsored research. A 1995 study by 
the National Research Council (NRC) 
describes the “extraordinarily produc- 
tive interplay of federally funded uni- 
versity research, federally and privately 
funded industrial research, and entre- 
preneurial companies founded and 
staffed by people who moved back and 
forth between universities and indus- 
try.” That study, andasubsequent 1999 
report by the President’s Information 
Technology Advisory Committee, em- 
phasized the “spectacular” return on 
the federal investment in long-term IT 
research and development. Indeed, a 
2003 NRC study identified 19 multibil- 
lion-dollar IT industries—industries 
that are transforming our lives and 
driving our economy—that were en- 
abled by federally sponsored research 
(see http://books.nap.edu/openbook. 
php?record_id=10795&page=5). 


Academia and Industry 

Beyond transforming society and bol- 
stering economic growth, funding 
for computing research and the sub- 
sequent development of the U.S. IT 
sector has created particularly strong 
relationships between universities 
and industry. Robust funding for re- 
search has allowed university research 
to assume the role of focusing on fun- 
damental questions and long-term 
problems, without supplanting indus- 
trial research and development. While 
industry research, geared primarily 
toward short-term development, does 
not supplant university research. 

In fact, industry generally avoids 
long-term research because it entails 
risk in a couple of unappealing ways. 
First, it is difficult to predict the out- 
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_ ence agencies and Congress concurs. 


_ our case will be more important than 


Industry generally 
avoids long-term 
research because 
it entails risk 

in a couple of 
unappealing ways. 


come of fundamental research. The 
value of the research may surface in 
unanticipated areas. Second, funda- 
mental research, because it is pub- 
lished openly, provides broad value 
to all players in the marketplace. It is 
difficult for any one company to “pro- 
tect” the fundamental knowledge 
gleaned from long-term research and 
capitalize on it without everyone in the 
marketplace having a chance to incor- 
porate the new knowledge into their 
thinking. 

A sustained, robust commitment 
to long-term, fundamental research 
is also necessary because the innova- 
tions that drive the new economy today 
are the fruits of investments the feder- 
al government made in fundamental 
research 10, 15, or even 30 years ago. 
Essentially every aspect of informa- 
tion technology upon which we rely 
today—the Internet, Web browsers, 
public key cryptography for secure 
credit card transactions, parallel data- 
base systems, high-performance com- 
puter graphics, portable communica- | 
tions...essentially every billion-dollar | 
sub-market—is a product of this com- 
mitment and bears the stamp of feder- 
ally supported research. 

Computing has a compelling story, | 
and fortunately one that finds a lot of 
support in Congress and in the Ad- 
ministration. The federal government 
currently invests more than $3 billion | 
per year in information technology 
R&D across 13 different agencies, and 
that figure could increase significantly 
if the Obama administration follows 
its plan to increase funding at key sci- 


However, looking forward, making 


ever. 
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Not only is society faced with grand 
challenges that will require funda- 
mental breakthroughs in computing, 
but competition for scarce federal dol- 
lars is going to be more intense than 
ever. The competitive environment 
we’ve described was largely in the era 
of U.S. federal deficits of billions of 


| dollars; today the federal deficit is over 


a trillion dollars with major spend- 
ing proposals—such as health care 
reform—currently winding through 
Congress. The budget politics driving 
these issues are the same politics that 
can affect spending for fundamental 
research. Without a strong case and 
support from a broad community (in- 
dustry, higher education, and scien- 
tific societies) in making it, research 
funding and the innovations it enables 
will face a chilly reception among poli- 
cymakers. 

With your help, we’ll continue to 
make the case for computing research 
wherever we can. We encourage you to 
take advantage of any opportunities 
you might have in your own commu- 
nity to do the same. 

Authors’ Note: The inspiration for 
this column, and indeed some of the 
text, came froma white paper prepared 
by Peter Harsha along with Edward 
Lazowska (University of Washington) 
and Peter Lee (Carnegie Mellon Uni- 
versity). The white paper (“Informa- 
tion Technology R&D and U.S. Innova- 
tion”) was one of a series prepared in 
December 2008 at the request of the 
Obama Administration by the Com- 
puting Community Consortium, to 
aid in the transition of Presidential 
Administrations. The collected series 


_ of white papers, entitled Computing 


Research Initiatives for the 21st Centu- 
ry, is available at http://www.cra.org/ 
ccc/initiatives. iC) 
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Viewpoint 
Privacy on 


viewpoints 


the Data Web 


Considering the nebulous question of ownership in the virtual realm. 


HE WORLD WIDE WEB in its 

current form, linking docu- 

ments with hyperlinks in 

an associative network, has 

led to a number of concerns 
about issues related to privacy, copy- 
right, and intellectual property.° But 
the movement away from the linking 
of documents to the linking of data, a 
much more powerful paradigm al- 
lowing automation of a greater num- 
ber of information processing tasks, 
will test legal and technical regimes 
still further. 

The linked data Web, in which het- 
erogeneous data is brought together 
from distributed sources relatively 
seamlessly with user-provided ontolo- 
gies, allows information about individ- 
uals or organizations to be queried de- 
spite being collected at different times 
for different purposes, with different 
provenances and different formats. 
The benefits of such a Web are mani- 
fest®” but threats to personal privacy 
will also increase as boundaries blur 
between personal information pub- 
lished intentionally, that published 
conditionally (for example, to specific 
social networking sites for a specific 
audience) and information over which 
the subject has no control. 

One way of expressing the dilem- 
mas that will face us is to ask the ques- 
tion “who owns all this data?” When it 
is personal data, surely we do? Perhaps 
surprisingly, the answer is no. Even if 
you enter the data yourself, for exam- 
ple onto some Internet service, you do 
not own it—the service generally does. 
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‘ pone ed aN 
You will have signed up for something 
in the small print—that is, you will tac- 
itly have consented to handing over 
the data. Given the highly interactive 
nature of the Web where one creates 
data consciously and unconsciously 
all the time, this consent model will 
be increasingly stretched over the next 
few years. 

It has always been somewhat flawed, 
with few limits to the uses to which 
data is put when consent to process 
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has been lawfully obtained (and privacy 
policies may change after one has con- 
sented’). Naive users and minors often 
treat policies, or terms and conditions, 
as a tedious box necessary to check to 
get onto a site, rather than as signing 
away their rights.* But even when there 
are no problems of asymmetric infor- 
mation or proportionality, there are 
social issues to be considered—privacy 
is not a private matter. It impacts on a 
series of wider communities. 
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A social network includes lots of in- 


formation not directly about you. The | 


information is implicit, but network 
analysis makes it explicit. The evidence 


of a network is circumstantial, but an | 


important basis for profiling. For ex- 
ample, if you have a high percentage of 
gay friends does that mean you are gay? 
Many people—gay or straight—would 
find that inference embarrassing. 

We do not own our networks. In Jan- 
uary 2008, blogger Robert Scoble au- 
tomatically harvested the names and 
email addresses of his several thou- 
sand Facebook friends, and exported 
them to another account. The row was 
resolved amicably in the end—but the 
outcome was that Scoble’s network 
was not his to harvest. 

Given the benefits of wide access to 
data, it is appropriate to ask whether 
“ownership” is the concept needed. In 


the first place, legal frameworks that — 


define a type of data ownership for the 
subject are absent—these are facts 
about a person, not copyright material, 
intellectual property, or trade secrets. 


of ownership is denial of access: if I 
own something, I can stop you using 
it. But this undermines the potential of 
the Web of linked data. In the old days 
of paper and practical obscurity, the 
value of information was in its scarcity, 
but on the Data Web value comes from 


abundance, the ability to place infor- 


mation in new and unexpected con- 
texts, facilitating what Tim Berners-Lee 
calls “serendipitous reuse.”’ Ensuring 
data is correct is more valuable than 
preventing its use. We should also not 
ignore the opposite pull from rights of 
access to information, as a corollary to 
rights of freedom of expression,’ while 
many people and organizations have 
legitimate interests in access to data. 
This is the rationale for data protec- 
tion, whose aim is not exclusively to pro- 
tect individuals’ privacy, but rather to 
balance privacy with the maintenance 
of the free flow of information, as well 


as other desirable things for individu- | 


als like quality and accessibility.'° Un- 
der a data protection regime, individu- 


als have the right to inspect and correct | 
information being held about them, in, 


theory allowing them to address issues 
of incorrectness, inappropriateness, 
excessiveness, and so on. 


It also has the effect of bringing | 
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| tion Act of 1998.'° Most industrialized 


_ tion to legal entities like companies, 
| others include non-digital information | 
Second, the most important power 


rules into the area directly—data pro- 
tection provides controls adminis- 
tered by a regulatory body over how 
data should be handled. On the other 
hand, one’s privacy can only be ad- 
dressed under an ownership regime 
in court after a tort or legal injury had | 
occurred as a result of misuse. 

In Europe, the 1981 Council of Eu- 
rope Convention on data protection 
was required to reconcile the right of 
privacy in Article 8 of the European 
Convention on Human Rights with the 
right of freedom of expression given in 
Article 10. The Convention led directly | 
to the EU’s directive on data protection 
in 1995 (95/46/EC), and to national leg- 
islation such as the U.K.’s Data Protec- 


nations have some sort of data pro- 
tection legislation in place, although 
European laws are probably the most 
comprehensive. 

There are differences between juris- 
dictions, of which some extend protec- 


under the remit, others have restricted 
data protection to public sector data, 
while still more have argued that infor- 
mation affecting national sovereignty 
or sociocultural interests should also 
fall under the banner, with states hav- 
ing rights as well as individuals. 

This variation is often cultural; some 
nations value privacy more than others, 
Continental Europeans worry about 
corporations’ access to data, while An- 
glophone nations tend to be more sus- 
picious of governments, and so on. Yet | 
it also matters economically—some se- 
nior business people suspect that such 
is the value of data that businesses in 
those states with strong data protec- 
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of wide access to 
data, it is appropriate 
to ask whether 
“ownership” is the 
concept needed. 
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tion laws, such as Germany, could well 
lose out to those in jurisdictions with 
less protection, such as the U.K. 

Different regimes offer different 
levels of protection. Consider for in- 
stance the definition of personal data. 
Belgium has incorporated the wording 
of Directive 95/46/EC directly into law, 
covering anyone who can be identified 
directly or indirectly from the data, 
while the U.K. has altered the wording 
to cover only those who could be identi- 
fied by the data controller from the data. 
Data that can be used to identify one 
(such as an IP address) can be collected 
without data protection legislation in 
the U.K. as long as the controller has 
no way of going from IP address to an 
individual.® 

Nevertheless, the Web is an opaque 
place, especially to non-expert users. 
Putting the onus on the data subject 
to ask for details of how personal data 
is being used ensures that much will 
be missed—how many know the right 
questions to ask about cookies, ISPs, 
search engines, or browsers? Will it pay 
regulators to take a stronger stance? 

Regulation of the Web is a complex 
matter, crossing jurisdictions and pos- 
ing problems for the W3C’s consen- 
sus-based standards approach. Regu- 
lation generally leverages normality, 
and is premised on common behavior 
and shared interpretations of a situ- 
ation."'' It is more effective if it goes 
with the grain of a society’s norms, but 
online there is no “normal” behavior, 
as work on the scale-free aspects of 
the Web has repeatedly demonstrated 
(recently in Meiss et al.°), while user 
understanding of online situations is 
highly heterogeneous. 

The Web moves so quickly that reg- 
ulation is risky. It takes time and coor- 
dination across borders; by the time 
rules are in place, behavioral patterns 
may likely have changed, and all that 
is left is unintended consequences.°® 
Directive 95/46/EC dates back to 1995, 
with key updates to cover traffic and 
location data introduced in 2002. The 
scale and speed of the Web’s evolution 
means that carefully considered regu- 


| lation is rarely timely; the whole pri- 
| vacy-threatening phenomenon of Web 


2.0 has arisen since those directives. 
For example, in social network sites 
friends sometimes take information 
that a user had originally character- 


ized as private to them and republish it 
to their immediate friends. The disci- 
pline of Web Science covered recently 
in these pages® is an attempt to har- 
ness transdisciplinary endeavor to try 
to understand the complex feedback 
cycles between the Web and society. 

If ownership and regulation are prob- 
lematic, what to do? We have two pro- 
posals, one modest, one a little deeper. 

As things stand, privacy is a game 
for the rich and well informed, creating 
a digital divide to which one response 
is to redress the balance by exploring 
ways in which people can perceive ad- 
vantage from protecting their privacy. 
In particular, if we can shift the empha- 
sis from concealment to transparen- 
cy—from the concealment of data from 
potential users, to transparency of how 
data is being used—we can begin to 
provide answers to questions like “who 
is looking at you?” and “what is being 
said about you?” Data will continue to 
be gathered, aggregated and graphed, 
but its use should be clear and trace- 
able. We are of course gesturing toward 
the work of Daniel Weitzner and col- 
leagues on information accountability, 
reported in this magazine.” 

With a proper infrastructure in 
place, it should be possible to con- 
struct legal/technical/economic mod- 
els where people can be recompensed 
for the use of their data—you could be 
paid for your clickthroughs. Or perhaps 
you would require a donation to a cause 
of your choice in return for your click- 
throughs. If others are making money 
from observing your activity, it doesn’t 
seem outrageous that you or your nom- 
inees should be compensated. 

It may be that the commercial thirst 
for consumer data is about to wane as 
the global financial crisis undermines 
advertising, and therefore the business 
models of many Internet companies. 
But this idea is just one instance of a 
more general principle of reciproc- 
ity between technology developers and 
information subjects. If a technology 
makes public service more efficient, 
or a business process more profitable, 
then it should also be used reciprocally 
to aid the citizen or consumer. 

If government officials have better 
access to data as a result of technology, 
then citizens should too—improved 
data for government implying more 
freedom of information. Indeed, this 


Perhaps we should 
be talking of 

the responsibilities 
of privacy too. 


is the thrust of the Making Public Data 
Public project on which Nigel Shadbolt 
and Tim Berners-Lee are advising the 
U.K. government.’ Although the proj- 
ect is focusing on non-personal public 
sector information the premise is that 
more data increases transparency and 
can drive public sector improvement 
and reform. In the context of personal 
information a consumer should be 
able to get improvements in data pro- 
tection, for example by being able to 
use technology to enforce access to 
information in the many jurisdictions 
where such enforcement is currently 
problematic.’ 

As our rights as citizens and as con- 
sumers seem to be coming together, 
markets could be redefined to change 
the incentives to protect one’s own pri- 
vacy and respect that of others, for exam- 
ple, as with principles such as ‘the pol- 
luter pays.’ The analogy with pollution 
is suggestive for our more fundamental 
idea—an invasion of privacy has things 
in common with pollution, in particular 
that the individual benefits and costs do 
not capture the full social costs. 

In many jurisdictions, particularly 
common law ones, the complexities 
of privacy are dealt with by exploiting 
collective wisdom, referring individual 
cases to a reasonable expectation of 
privacy. In other words, if one behaves 
in such a way that one could not rea- 
sonably expect to be private, then oth- 
ers are not liable for invading one’s pri- 
vacy. Reasonable expectations change 
through time and space, making law 
sensitive to context. 

Online, reasonable expectations are 
diminishing all the time, as our clicks 
are logged and people generously give 
information about themselves and oth- 
ers away to their social networks. Sur- 
veillance is becoming the norm, with 
the complicity of many data subjects. 
But might this be a social harm? 
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Privacy is essential for the proper 
functioning of a liberal, democratic so- 
ciety. Some benefits may accrue to the 
individual (who gains autonomy, a space 
of intimacy, freedom of speech, and so 
forth). But equally benefits accrue to 
society—a free, liberal polity of autono- 
mous individuals is a public good, in the 
same way that clean air is. Everyone ben- 
efits, even if not everyone contributes. 

If privacy is a public, not a private, 
good, then talking exclusively of rights 
is not the right way to go. Perhaps we 
should be talking of the responsibilities 
of privacy too. This would involve some- 
thing of a culture change, especially in 
our voyeuristic society.’ But this would 
not be unprecedented: it was privacy 
activists, not the law, which pressured 
Web sites in the 1990s to respect pri- 
vacy rather than promiscuously gather- 
ing and selling consumers’ data.* 

Perhaps it is our duty to ensure that 
reasonable expectations of privacy are 
kept high. 
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Kirk McKusick and Sean Quinlan discuss the 
origin and evolution of the Google File System. 


GFS: 
Evolution on 
Fast-Forward 


DURING THE EARLY Stages of development at Google, the 
initial thinking did not include plans for building a new 
file system. While work was under way on one of the 
earliest versions of the company’s crawl and indexing 
system, however, it became quite clear to the core 
engineers that they really had no other choice—thus, 
the Google File System (GFS) was born. 

Given that Google’s goal was to build a vast storage 
network out of inexpensive commodity hardware, it 
had to be assumed that component failures would 
be the norm—meaning that constant monitoring, 
error detection, fault tolerance, and automatic 
recovery must be an integral part of the file system. 
Also, even by Google’s earliest estimates, the system’s 
throughput requirements were going to be daunting 
by anybody’s standards—featuring multi-gigabyte 
files and data sets containing terabytes of information 
and millions of objects. Clearly, this meant traditional 
assumptions about I/O operations and block sizes 
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would have to be revisited. There was 
also the matter of scalability. This was 
a file system that would surely need to 
scale like no other. Of course, back in 
those earliest days, no one could have 
possibly imagined just how much scal- 
ability would be required. They would 
learn about that soon enough. 

Still, nearly a decade later, most of 
Google’s mind-boggling store of data 


| and its ever-growing array of applica- 


tions continue to rely upon GFS. Many 
adjustments have been made to the file 
system along the way, and—together 
with a fair number of accommodations 
implemented within the applications 
that use GFS—they have made the jour- 
ney possible. 

To explore the reasoning behind a 
few of the more crucial initial design 
decisions as well as some of the incre- 
mental adaptations that have been 
made since then, Sean Quinlan was 
asked to pull back the covers on the 


_ changing file-system requirements and 


the evolving thinking at Google. Since 
Quinlan served as the GFS tech leader 


| fora couple of years and continues now 


as a principal engineer at Google, he’s 
in a good position to offer that perspec- 
tive. As a grounding point beyond the 
Googleplex, Kirk McKusick was asked 
to lead the discussion. He is best known 
for his work on BSD (Berkeley Software 
Distribution) Unix, including the origi- 
nal design of the Berkeley FFS (Fast File 
System). 

The discussion starts at the begin- 
ning—with the unorthodox decision to 


| base the initial GFS implementation on 


a single-master design. At first blush, 
the risk of a single centralized master 
becoming a bandwidth bottleneck—or 
worse, a single point of failure—seems 
fairly obvious, but it turns out Google’s 
engineers had their reasons for making 
this choice. 
MCKUSICK: One of the more interesting— 
and significant—aspects of the original 
GFS architecture was the decision to 
base it on a single master. Can you walk 
us through what led to that decision? 
QUINLAN: The decision to go with a 


STEPHEN AUSTIN WELCH 


PHOTOGRAPH BY 


practice 


single master was actually one of the 
very first decisions, mostly just to sim- 
plify the overall design problem. That is, 
building a distributed master right from 
the outset was deemed too difficult and 
would take too much time. Also, by go- 
ing with the single-master approach, the 


engineers were able to simplify a lot of | 


problems. Having a central place to con- 
trol replication and garbage collection 
and many other activities was definitely 
simpler than handling it all on a distrib- 
uted basis. So the decision was made to 
centralize that in one machine. 
mckusick: Was this mostly about be- 
ing able to roll out something within a 
reasonably short time frame? 

QUINLAN: Yes. In fact, some of the en- 
gineers who were involved in that early 
effort later went on to build BigTable, 
a distributed storage system, but that 
effort took many years. The decision to 
build the original GFS around the single 
master really helped get something out 
into the hands of users much more rap- 
idly than would have otherwise been 
possible. 

Also, in sketching out the use cases 
they anticipated, it didn’t seem the sin- 
gle-master design would cause much of 
a problem. The scale they were thinking 


about back then was framed in terms of | 
| Then the application was responsible | 


hundreds of terabytes and a few million 
files. In fact, the system worked just fine 
to start with. 

mckusick: But then what? 

QUINLAN: Problems started to occur 
once the size of the underlying storage 
increased. Going from a few hundred 
terabytes up to petabytes, and then up 
to tens of petabytes...that really required 
a proportionate increase in the amount 
of metadata the master had to main- 
tain. Also, operations such as scanning 
the metadata to look for recoveries all 


scaled linearly with the volume of data. — 


So the amount of work required of the 
master grew substantially. The amount 
of storage needed to retain all that infor- 
mation grew as well. 

In addition, this proved to be a bot- 


tleneck for the clients, even though the © 


clients issue few metadata operations 


themselves—for example, a client talks 


to the master whenever it does an open. 
When you have thousands of clients all 
talking to the master at the same time, 
given that the master is capable of do- 
ing only a few thousand operations a 
second, the average client isn’t able to 
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command all that many operations per 
second. Also bear in mind that there are 
applications such as MapReduce, where 
you might suddenly have a thousand 


_ tasks, each wanting to open a num- 


ber of files. Obviously, it would take a 


long time to handle all those requests, 


and the master would be under a fair 
amount of duress. 
mckusick: Now, under the current 


schema for GFS, you have one master 


per cell, right? 

QUINLAN: That’s correct. 

mckusick: And historically you’ve had 
one cell per data center, right? 

QUINLAN: That was initially the goal, 
but it didn’t work out like that to a large 
extent—partly because of the limita- 
tions of the single-master design and 
partly because isolation proved to be 
difficult. As a consequence, people gen- 
erally ended up with more than one cell 
per data center. We also ended up do- 
ing what we call a multi-cell approach, 
which basically made it possible to 
put multiple GFS masters on top of a 
pool of chunkservers. That way, the 
chunkservers could be configured to 
have, say, eight GFS masters assigned 
to them, and that would give you at least 
one pool of underlying storage—with 
multiple master heads on it, if you will. 


for partitioning data across those differ- 


| ent cells. 


MckusiIckK: Presumably each applica- 
tion would then essentially have its own 
master that would be responsible for 
managing its own little file system. Was 
that basically the idea? 

QUINLAN: Well, yes and no. Applica- 
tions would tend to use either one mas- 
ter ora small set of the masters. We also 
have something we called Name Spaces, 
which are just a very static way of parti- 
tioning a namespace that people can 


use to hide all of this from the actual | 


application. The Logs Processing Sys- 
tem offers an example of this approach: 
once logs exhaust their ability to use 
just one cell, they move to multiple GFS 
cells; a namespace file describes how 
the log data is partitioned across those 


different cells and basically serves to | 


hide the exact partitioning from the ap- 
plication. But this is all fairly static. 
mckusick: What is the performance 
like, in light of all that? 
QUINLAN: We ended up putting a 
fair amount of effort into tuning mas- 
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ter performance, and it’s atypical of 
Google to put a lot of work into tun- 
ing any one particular binary. Gener- 
ally, our approach is just to get things 
working reasonably well and then turn 
our focus to scalability—which usu- 
ally works well in that you can generally 
get your performance back by scaling 
things. Because in this instance we had 
a single bottleneck that was starting to 
have an impact on operations, however, 
we felt that investing a bit of additional 
effort into making the master lighter 
weight would be really worthwhile. In 
the course of scaling from thousands 
of operations to tens of thousands and 
beyond, the single master had become 
somewhat less of a bottleneck. That 
was a case where paying more attention 
to the efficiency of that one binary defi- 
nitely helped keep GFS going for quite 
a bit longer than would have otherwise 
been possible. 


It could be argued that managing to get 
GFS ready for production in record time 
constituted a victory in its own right and 
that, by speeding Google to market, this 
ultimately contributed mightily to the 
company’s success. A team of three was 
responsible for all of that—for the core 
of GFS—and for the system being read- 
ied for deployment in less than a year. 
But then came the price that so often 


| befalls any successful system—that is, 


once the scale and use cases have had 
time to expand far beyond what any- 
one could have possibly imagined. In 
Google’s case, those pressures proved 
to be particularly intense. 

Although organizations don’t make 
a habit of exchanging file-system sta- 
tistics, it’s safe to assume that GFS is 
the largest file system in operation (in 
fact, that was probably true even be- 
fore Google’s acquisition of YouTube). 
Hence, even though the original archi- 
tects of GFS felt they had provided ad- 
equately for at least a couple of orders 
of magnitude of growth, Google quickly 
zoomed right past that. 

In addition, the number of appli- 
cations GFS was called upon to sup- 
port soon ballooned. In an interview 
with one of the original GFS architects, 
Howard Gobioff (conducted just prior 
to his untimely death in early 2008), 
he recalled, “The original consumer of 
all our earliest GFS versions was basi- 
cally this tremendously large crawling 


and indexing system. The second wave 
came when our quality team and re- 
search groups started using GFS rather 
ageressively—and basically, they were 


all looking to use GFS to store large data | 


sets. And then, before long, we had 50 
users, all of whom required a little sup- 
port from time to time so they’d all keep 
playing nicely with each other.” 

One thing that helped tremendously 
was that Google built not only the file 
system but also all of the applications 
running on top of it. While adjustments 
were continually made in GFS to make 
it more accommodating to all the new 
use cases, the applications themselves 
were also developed with the various 
strengths and weaknesses of GFS in 
mind. “Because we built everything, we 
were free to cheat whenever we wanted 
to,” Gobioff neatly summarized. “We 
could push problems back and forth 
between the application space and the 
file-system space, and then work out ac- 
commodations between the two.” 

The matter of sheer scale, however, 
called for some more substantial ad- 
justments. One coping strategy had 


to do with the use of multiple “cells” | 


across the network, functioning essen- 
tially as related but distinct file systems. 
Besides helping to deal with the im- 
mediate problem of scale, this proved 


to be a more efficient arrangement for | 


the operations of widely dispersed data 
centers. 


Rapid growth also put pressure on | 


another key parameter of the original 
GFS design: the choice to establish 
64MB as the standard chunk size. That, 
of course, was much larger than the 
typical file-system block size, but only 
because the files generated by Google’s 
crawling and indexing system were un- 


usually large. As the application mix | 


changed over time, however, ways had 
to be found to let the system deal ef- 
ficiently with large numbers of files 
requiring far less than 64MB (think in 


terms of Gmail, for example). The prob- 


lem was not so much with the number 
of files itself, but rather with the mem- 
ory demands all of those files made on 
the centralized master, thus exposing 
one of the bottleneck risks inherent in 
the original GFS design. 


MCKUSICK: I gather from the original GFS 
paper [in Proceedings of the 2003 ACM 
Symposium on Operating Systems Princi- 
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ples] that file counts have been a signifi- 
cant issue for you right along. Can you 
go into that a little bit? 

QUINLAN: The file-count issue came 
up fairly early because of the way peo- 
ple ended up designing their systems 
around GFS. Let me cite a specific ex- 
ample. Early in my time at Google, I was 
involved in the design of the Logs Pro- 
cessing system. We initially had a model 
where a front-end server would write a 


| log, which we would then basically copy 


into GFS for processing and archival. 
That was fine to start with, but then the 
number of front-end servers increased, 
each rolling logs every day. At the same 
time, the number of log types was going 
up, and then you’d have front-end serv- 
ers that would go through crash loops 
and generate lots more logs. So we end- 


_ ed up with a lot more files than we had 


anticipated based on our initial back-of- 
the-envelope estimates. 

This became an area we really had to 
keep an eye on. Finally, we just had to 
concede there was no way we were go- 
ing to survive a continuation of the sort 
of file-count growth we had been expe- 
riencing. 

MCKUSICK: Let me make sure I’m fol- 
lowing this correctly: your issue with file- 
count growth is a result of your needing 
to have a piece of metadata on the mas- 
ter for each file, and that metadata has 
to fit in the master’s memory. 

QUINLAN: That’s correct. 

mckusick: And there are only a finite 
number of files you can accommodate 


| before the master runs out of memory? 


QUINLAN: Exactly. And there are two 
bits of metadata. One identifies the file, 


_ and the other points out the chunks 


that back that file. If you had a chunk 
that contained only 1MB, it would take 
up only 1MB of disk space, but it still 
would require those two bits of meta- 
data on the master. If your average file 
size ends up dipping below 64MB, the 
ratio of the number of objects on your 
master to what you have in storage 
starts to go down. That’s where you run 
into problems. 

Going back to that logs example, it 
quickly became apparent that the natu- 
ral mapping we had thought of—and 
which seemed to make perfect sense 


_ back when we were doing our back-of- 


the-envelope estimates—turned out 
not to be acceptable at all. We needed 
to find a way to work around this by fig- 
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uring out how we could combine some 
number of underlying objects into 
jlarger files. In the case of the logs, that 


/wasn’t exactly rocket science, but it did | 


f require a lot of effort. 

mckusick: That sounds like the old 
days when IBM had only a minimum 
disk allocation, so it provided you with 
a utility that let you pack a bunch of files 
together and then create a table of con- 
tents for that. 

QUINLAN: Exactly. For us, each appli- 
cation essentially ended up doing that 
to varying degrees. That proved to be 


less burdensome for some applications | 


than for others. In the case of our logs, 
we hadn't really been planning to delete 
individual log files. It was more likely 
that we would end up rewriting the logs 
to anonymize them or do something 
else along those lines. That way, you 
don’t get the garbage-collection prob- 


lems that can come up ifyou delete only — 


some of the files within a bundle. 

For some other applications, how- 
ever, the file-count problem was more 
acute. Many times, the most natural de- 
sign for some application just wouldn't 
fit into GFS—even though at first glance 
you would think the file count would 
be perfectly acceptable, it would turn 
out to be a problem. When we started 
using more shared cells, we put quotas 
on both file counts and storage space. 
The limit that people have ended up 
running into most has been, by far, the 
file-count quota. In comparison, the un- 
derlying storage quota rarely proves to 
bea problem. 

MckusiIck: What longer-term strategy 
have you come up with for dealing with 
the file-count issue? Certainly, it doesn’t 
seem that a distributed master is really 
going to help with that—not if the mas- 
ter still has to keep all the metadata in 
memory, that is. 

QUINLAN: The distributed master cer- 
tainly allows you to grow file counts, 
in line with the number of machines 
you're willing to throw at it. That cer- 
tainly helps. 

One of the appeals of the distributed 
multimaster model is that ifyou scale ev- 
erything up by two orders of magnitude, 
then getting down to a 1MB average file 
size is going to be a lot different from 


having a 64MB average file size. If you | 


end up going below 1MB, then you’re 
also going to run into other issues that 
you really need to be careful about. For 
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example, if you end up having to read | 
10,000 10KB files, you’re going to be do- 
ing alot more seeking than ifyou’re just 
reading 100 1MB files. 

My gut feeling is that if you design 
for an average 1MB file size, then that 
should provide for a much larger class 
of things than does a design that as- 
sumes a 64MB average file size. Ideally, — 
you would like to imagine a system that | 
goes all the way down to much smaller 
file sizes, but 1MB seems a reasonable | 
compromise in our environment. 

MckusiIck: What have you been doing 
to design GFS to work with 1MB files? 

QUINLAN: We haven't been doing any- | 
thing with the existing GFS design. Our | 
distributed master system that will pro- | 
vide for 1MB files is essentially a whole 
new design. That way, we can aim for 
something on the order of 100 million 
files per master. You can also have hun- 
dreds of masters. 

MCKUSICK: So, essentially no single 
master would have all this data on it? 

QUINLAN: That’s the idea. 


With the recent emergence within 
Google of BigTable, a distributed stor- 
age system for managing structured 
data, one potential remedy for the file- 
count problem—albeit perhaps not the 
very best one—is now available. 

The significance of BigTable goes 


| far beyond file counts, however. Spe- 


cifically, it was designed to scale into 
the petabyte range across hundreds or 
thousands of machines, as well as to 
make it easy to add more machines to 
the system and automatically start tak- 
ing advantage of those resources with- 
out reconfiguration. For a company 
predicated on the notion of employing 
the collective power, potential redun- 
dancy, and economies of scale inherent 
in a massive deployment of commodity 
hardware, these rate as significant ad- 
vantages indeed. 

Accordingly, BigTable is now used in 
conjunction with a growing number of 
Google applications. Although it repre- 
sents a departure of sorts from the past, 
it also must be said that BigTable was 
built on GFS, runs on GFS, and was con- 
sciously designed to remain consistent 
with most GFS principles. Consider it, 
therefore, as one of the major adapta- 
tions made along the way to help keep 
GFS viable in the face of rapid and wide- 
spread change. 


MCKUSICK: You now have this thing called 
BigTable. Do you view that as an appli- 
cation in its own right? 

QUINLAN: From the GES point of view, 
it’s an application, but it’s clearly more 
of an infrastructure piece. 

mckusick: If I understand this correct- 
ly, BigTable is essentially a lightweight 
relational database. 

QUINLAN: It’s not really a relational da- 
tabase. I mean, we’re not doing SQL and 
it doesn’t really support joins and such. 
But BigTable is a structured storage sys- 
tem that lets you have lots of key-value 


_ pairs anda schema. 


mckusick: Who are the real clients of 
BigTable? 

QUINLAN: BigTable is increasingly be- 
ing used within Google for crawling 
and indexing systems, and we use it a 
lot within many of our client-facing ap- 
plications. The truth of the matter is 
that there are tons of BigTable clients. 
Basically, any app with lots of small 
data items tends to use BigTable. That's 
especially true wherever there’s fairly 
structured data. 

MCKUSICK: I guess the question I’m re- 
ally trying to pose here is: Did BigTable 
just get stuck into a lot of these appli- 
cations as an attempt to deal with the 
small-file problem, basically by taking 
a whole bunch of small things and then 
ageregating them together? 

QUINLAN: That has certainly been one 
use case for BigTable, but it was actually 
intended for a much more general sort 
of problem. If you’re using BigTable in 
that way—that is, as a way of fighting 
the file-count problem where you might 
have otherwise used a file system to 
handle that—then you would not end 
up employing all of BigTable’s function- 
ality by any means. BigTable isn’t really 
ideal for that purpose in that it requires 
resources for its own operations that are 
nontrivial. Also, it has a garbage-collec- 


_ tion policy that’s not super-aggressive, 


so that might not be the most efficient 
way to use your space. I’d say that the 
people who have been using BigTable 
purely to deal with the file-count prob- 
lem probably haven’t been terribly hap- 
py, but there’s no question that it is one 
way for people to handle that problem. 
Mckusick: What I’ve read about GFS 
seems to suggest that the idea was to 
have only two basic data structures: logs 
and SSTables (Sorted String Tables). 
Since I’m guessing the SSTables must 


be used to handle key-value pairs and 
that sort of thing, how is that different 
from BigTable? 

QUINLAN: The main difference is that 
SSTables are immutable, while BigTable 


provides mutable key value storage, and | 


a whole lot more. BigTable itself is actu- 
ally built on top of logs and SSTables. 
Initially, it stores incoming data into 
transaction log files. Then it gets com- 
pacted—as we call it—into a series of 
SSTables, which in turn get compacted 


together over time. In some respects, | 


it’s reminiscent of a log-structure file 


system. Anyway, as you’ve observed, logs | 
and SSTables do seem to be the two data 


structures underlying the way we struc- 
ture most of our data. We have log files 
for mutable stuff as it’s being recorded. 
Then, once you have enough of that, you 
sort it and put it into this structure that 
has an index. 

Even though GFS does not provide 
a Posix interface, it still has a pretty ge- 
neric file-system interface, so people 
are essentially free to write any sort of 
data they like. It’s just that, over time, 


the majority of our users have ended up | 


using these two data structures. We also 
have something called protocol buffers, 
which is our data description language. 


The majority of data ends up being pro- | 


tocol buffers in these two structures. 
Both provide for compression and 

checksums. Even though there are 

some people internally who end up re- 


inventing these things, most people | 


are content just to use those two basic 
building blocks. 


Because GFS was designed initially to 
enable a crawling and indexing system, 
throughput was everything. In fact, the 
original paper written about the sys- 
tem makes this quite explicit: “High 


sustained bandwidth is more impor- | 


tant than low latency. Most of our tar- 
get applications place a premium on 
processing data in bulk at a high rate, 
while few have stringent response-time 
requirements for an individual read 
and write.” 

But then Google either developed or 


embraced many user-facing Internet | 
services for which this is most definite- | 


ly not the case. 
One GFS shortcoming that this im- 
mediately exposed had to do with the 


original single-master design. A single | 


point of failure may not have been a di- 


saster for batch-oriented applications, 
but it was certainly unacceptable for 
latency-sensitive applications, such as 
video serving. The later addition of au- 
tomated failover capabilities helped, 


but even then service could be out for | 


up to a minute. 

The other major challenge for GFS, 
of course, has revolved around finding 
ways to build latency-sensitive applica- 
tions on top of a file system designed 


around an entirely different set of pri- | 


orities. 


MCKUSICK: It’s well documented that 
the initial emphasis in designing GFS 
was on batch efficiency as opposed to 
low latency. Now that has come back to 
cause you trouble, particularly in terms 
of handling things such as videos. How 
are you handling that? 

QUINLAN: The GFS design model 
from the get-go was all about achieving 
throughput, not about the latency at 
which that might be achieved. To give 
you a concrete example, if you’re writ- 
ing a file, it will typically be written in 
triplicate—meaning you'll actually be 
writing to three chunkservers. Should 
one of those chunkservers die or hiccup 
for a long period of time, the GFS mas- 
ter will notice the problem and sched- 
ule what we call a pullchunk, which 


means it will basically replicate one of © 


those chunks. That will get you back up 


to three copies, and then the system will | 


pass control back to the client, which 
will continue writing. 

Whenwe doa pullchunk we limit it to 
something on the order of 5SMB-10MB 
a second. So, for 64MB, you're talking 
about 10 seconds for this recovery to 
take place. There are lots of other things 
like this that might take 10 seconds toa 
minute, which works just fine for batch- 


type operations. If you're doing a large 


MapReduce operation, you’re OK just 
so long as one of the items is not a real 
straggler, in which case you've got your- 


self a different sort of problem. Still, | 


generally speaking, a hiccup on the or- 
der of a minute over the course of an 
hour-long batch job doesn’t really show 
up. If you are working on Gmail, howev- 
er, and you're trying to write a mutation 
that represents some user action, then 


getting stuck fora minute is really going | 


to mess you up. 
We've had similar issues with our 
master failover. Initially, GFS had no 
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provision for automatic master failover. 
It was a manual process. Although it 
didn’t happen a lot, whenever it did, the 
cell might be down for an hour. Even 
our initial master-failover implementa- 
tion required on the order of minutes. 
Over the past year, however, we've taken 
that down to something on the order of 
tens of seconds. 

mckusick: Still, for user-facing appli- 
cations, that’s not acceptable. 

QUINLAN: Right. While these instanc- 
es—where you have to provide for 
failover and error recovery—may have 
been acceptable in the batch situation, 
they’re definitely not OK from a latency 
point of view for a user-facing applica- 
tion. Another issue here is that there are 
places in the design where we've tried 
to optimize for throughput by dumping 
thousands of operations into a queue 
and then just processing through them. 
That leads to fine throughput, but it’s 
not great for latency. You can easily 
get into situations where you might be 
stuck for seconds at a time in a queue 
just waiting to get to the head of the 
queue. 

Our user base has definitely migrated 
from being a MapReduce-based world 
to more of an interactive world that re- 
lies on things such as BigTable. Gmail 
is an obvious example of that. Videos 
aren’t quite as bad where GFS is con- 
cerned because you get to stream data, 
meaning you can buffer. Still, trying to 
build an interactive database on top of 
a file system that was designed from the 
start to support more batch-oriented 
operations has certainly proved to be a 
pain point. 

MCKUSICK: How exactly have you man- 
aged to deal with that? 

QUINLAN: Within GFS, we’ve managed 
to improve things to a certain degree, 
mostly by designing the applications to 
deal with the problems that come up. 
Take BigTable as a good concrete ex- 
ample. The BigTable transaction log is 
actually the biggest bottleneck for get- 
ting a transaction logged. In effect, we 
decided, “Well, we’re going to see hic- 
cups in these writes, so what we'll do is 
to have two logs open at any one time. 
Then we'll just basically merge the two. 
We'll write to one and if that gets stuck, 
we'll write to the other. We’ll merge 
those logs once we do a replay—if we 
need to do a replay, that is.” We tended 
to design our applications to function 
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like that—which is to say they basically | 


try to hide that latency since they know 
the system underneath isn’t really all 
that great. 

The guys who built Gmail went to a 


multihomed model, so if one instance | 


of your Gmail account got stuck, you 
would basically just get moved to an- 


other data center. Actually, that capa- | 


bility was needed anyway just to ensure 
availability. Still, part of the motivation 
was that they wanted to hide the GFS 
problems. 

mckusick: | think it’s fair to say that, 
by moving to a distributed-master file 
system, you're definitely going to be able 
to attack some of those latency issues. 

QUINLAN: That was certainly one of our 
design goals. Also, BigTable itself is a 
very failure-aware system that tries to re- 
spond to failures far more rapidly than 
we were able to before. Using that as our 
metadata storage helps with some of 
those latency issues as well. 


The engineers who worked on the earli- 
est versions of GFS weren’t particularly 
shy about departing from traditional 
choices in file-system design whenever 
they felt the need to do so. It just so hap- 
pens that the approach taken to consis- 
tency is one of the aspects of the system 
where this is particularly evident. 

Part of this, of course, was driven by 
necessity. Since Google’s plans rested 
largely on massive deployments of 
commodity hardware, failures and 
hardware-related faults were a given. 
Beyond that, according to the original 
GFS paper, there were a few compatibil- 
ity issues. “Many of our disks claimed 
to the Linux driver that they supported 
a range of IDE protocol versions but 
in fact responded reliably only to the 
more recent ones. Since the protocol 
versions are very similar, these drives 
mostly worked but occasionally the 
mismatches would cause the drive and 
the kernel to disagree about the drive’s 
state. This would corrupt data silently 
due to problems in the kernel. This 
problem motivated our use of check- 
sums to detect data corruption.” 

That didn’t mean just any check- 
summing, however, but instead rigor- 
ous end-to-end checksumming, with an 
eye to everything from disk corruption 
to TCP/IP corruption to machine back- 
plane corruption. 

Interestingly, for all that checksum- 
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ming vigilance, the GFS engineering 
team also opted for an approach to 
consistency that’s relatively loose by 
file-system standards. Basically, GFS 
simply accepts that there will be times 
when people will end up reading slight- 
ly stale data. Since GFS is used mostly 
as an append-only system as opposed 
to an overwriting system, this gener- 


_ ally means those people might end up 


missing something that was appended 


_ tothe end of the file after they'd already 


opened it. To the GFS designers, this 
seemed an acceptable cost (although 
it turns out that there are applications 
for which this proves problematic). 
Also, as Gobioff explained, “The risk 


_ of stale data in certain circumstances is 


just inherent to a highly distributed ar- 
chitecture that doesn’t ask the master 
to maintain all that much information. 
We definitely could have made things a 
lot tighter if we were willing to dump a 
lot more data into the master and then 
have it maintain more state. But that 
just really wasn’t all that critical to us.” 

Perhaps an even more important is- 
sue here is that the engineers making 
this decision owned notjust the file sys- 
tem but also the applications intended 
to run on the file system. According 


| to Gobioff, “The thing is that we con- 


trolled both the horizontal and the 
vertical—the file system and the appli- 
cation. So we could be sure our applica- 
tions would know what to expect from 
the file system. And we just decided to 


| push some of the complexity out to the 


applications to let them deal with it.” 
Still, there are some at Google who 

wonder whether that was the right call 

if only because people can sometimes 


| obtain different data in the course of 
_teading a given file multiple times, 
which tends to be so strongly at odds 


with their whole notion of how data 
storage is supposed to work. 


MCKUSICK: Let’s talk about consistency. 
The issue seems to be that it presumably 
takes some amount of time to get every- 
thing fully written to all the replicas. I 
think you said something earlier to the 
effect that GFS essentially requires that 
this all be fully written before you can 
continue. 

QUINLAN: That’s correct. 

mckusIck: If that’s the case, then how 
can you possibly end up with things that 
aren’t consistent? 


QUINLAN: Client failures have a way of 
fouling things up. Basically, the model 
in GFS is that the client just continues 
to push the write until it succeeds. If the 
client ends up crashing in the middle of 
an operation, things are left in a bit of 
an indeterminate state. 

Early on, that was sort of considered 
to be OK, but over time, we tightened 
the window for how long that incon- 
sistency could be tolerated, and then 
we slowly continued to reduce that. 
Otherwise, whenever the data is in that 
inconsistent state, you may get differ- 
ent lengths for the file. That can lead to 
some confusion. We had to have some 


backdoor interfaces for checking the | 


consistency of the file data in those in- 
stances. We also have something called 
RecordAppend, which is an interface 
designed for multiple writers to append 
to a log concurrently. There the consis- 
tency was designed to be very loose. In 
retrospect, that turned out to be a lot 
more painful than anyone expected. 

mckusick: What exactly was loose? 
If the primary replica picks what the 
offset is for each write and then makes 
sure that actually occurs; I don’t see 
where the inconsistencies are going to 
come up. 

QUINLAN: What happens is that the 
primary will try. It will pick an offset, it 
will do the writes, but then one of them 
won’t actually get written. Then the pri- 
mary might change, at which point it 
can pick a different offset. RecordAp- 
pend does not offer any replay protec- 
tion either. You could end up getting the 
data multiple times in the file. 

There were even situations where you 
could get the data in a different order. 
It might appear multiple times in one 
chunk replica, but not necessarily in all 
of them. If you were reading the file, you 
could discover the data in different ways 
at different times. At the record level, 
you could discover the records in differ- 
ent orders depending on which chunks 
you happened to be reading. 

MCKUSICK: Was this done by design? 

QUINLAN: At the time, it must have 
seemed like a good idea, but in retro- 
spect I think the consensus is that it 
proved to be more painful than it was 
worth. It just doesn’t meet the expecta- 
tions people have ofa file system, so they 
end up getting surprised. Then they had 
to figure out work-arounds. 

MCKUSICK: In retrospect, how would 


you handle this differently? 

QUINLAN: I think it makes more sense 
to have a single writer per file. 

MCKUSICK: All right, but what happens 
when you have multiple people wanting 
to append toa log? 

QUINLAN: You serialize the writes 
through a single process that can en- 
sure the replicas are consistent. 

MCKUSICK: There’s also this business 
where you essentially snapshot a chunk. 
Presumably, that’s something you use 
when you're essentially replacing a 
replica, or whenever some chunkserv- 
er goes down and you need to replace 
some of its files. 

QUINLAN: Actually, two things are go- 
ing on there. One, as you suggest, is the 
recovery mechanism, which definitely 
involves copying around replicas of the 
file. The way that works in GFS is we ba- 
sically revoke the lock so the client can’t 


write it anymore, and this is part of that | 


latency issue we were talking about. 
There’s also a separate issue, which 
is to support the snapshot feature of 
GES. GES has the most general-purpose 
snapshot capability you can imagine. 
You could snapshot any directory some- 
where, and then both copies would be 


_ entirely equivalent. They would share 


the unchanged data. You could change 
either one and you could further snap- 
shot either one. So it was really more of 
a clone than what most people think of 
as a snapshot. It’s an interesting thing, 
but it makes for difficulties—especially 
as you try to build more distributed sys- 
tems and you want potentially to snap- 
shot larger chunks of the file tree. 

I also think it’s interesting that the 
snapshot feature hasn’t been used 
more since it’s actually a very power- 
ful feature. That is, from a file-system 
point of view, it really offers a pretty 
nice piece of functionality. But putting 
snapshots into file systems, as I’m sure 
you know, is a real pain. 

MCKUSICK: I know. I’ve done it. It’s ex- 
cruciating—especially in an overwriting 
file system. 

QUINLAN: Exactly. This is a case where 
we didn’t cheat, but from an imple- 
mentation perspective, it’s hard to cre- 
ate true snapshots. Still, it seems that 
in this case, going the full deal was the 
right decision. Just the same, it’s an in- 
teresting contrast to some of the other 
decisions that were made early on in 
terms of the semantics. 
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All in all, the report card on GFS nearly 
10 years later seems positive. There 
have been problems and shortcom- 
ings, to be sure, but there’s surely no 
arguing with Google’s success and GFS 
has without a doubt played an impor- 
tant role in that. What’s more, its stay- 
ing power has been nothing short of 
remarkable given that Google’s opera- 


_ tions have scaled orders of magnitude 


beyond anything the system had been 
designed to handle, while the applica- 
tion mix Google currently supports is 
not one that anyone could have possi- 
bly imagined back in the late 1990s. 

Still, there’s no question that GFS 
faces many challenges now. For one 
thing, the awkwardness of supporting 
an ever-growing fleet of user-facing, 
latency-sensitive applications on top 
of a system initially designed for batch- 
system throughput is something that’s 
obvious to all. 

The advent of BigTable has helped 
somewhat in this regard. As it turns out, 
however, BigTable isn’t actually all that 
great a fit for GFS. In fact, it just makes 
the bottleneck limitations of the sys- 
tem’s single-master design more appar- 
ent than would otherwise be the case. 

For these and other reasons, engi- 
neers at Google have been working for 
much of the past two years on a new dis- 
tributed master system designed to take 
fulladvantage of BigTable to attack some 
of those problems that have proved par- 
ticularly difficult for GFS. 

Accordingly, it now seems that be- 
yond all the adjustments made to ensure 
the continued survival of GFS, the new- 
est branch on the evolutionary tree will 
continue to grow in significance over the 
years to come. 
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What will it take to make server-side 
computing more energy efficient? 


-—— 


Toward 
Energy- 


Efficient 
Computing 


BY NOW, MOST everyone is aware of the energy problem 
at its highest level—our primary sources of energy 

are running out, while the demand for energy in both 
commercial and domestic environments is increasing. 
Moreover, the side effects of energy use have 
important global environmental considerations. The 
emission of greenhouse gases such as CO,, now seen 
by most climatologists to be linked to global warming, 
is only one issue. 

The world’s preeminent scientists and thought 
leaders are perhaps most focused on a strategic 
solution: the need to develop new sources of clean 
and renewable energy if we are ultimately to overcome 
the energy problem. Lord Rees, president of the Royal 
Society, emphasized its urgency in an annual address 
delivered in 2008." 
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| sumed 61 billion kWh 


The practical expectation of new 
sources of sustainable energy is at 
least three decades away, however. 
Steve Chu, who was the director of the 
Lawrence Berkeley National Labora- 
tory prior to his recent appointment 
as U.S. Secretary of Energy, placed this 
situation in context: 

“A dual strategy is needed to solve 
the energy problem: (1) maximize en- 
ergy efficiency and decrease energy 
use; (2) develop new sources of clean 
energy. No. 1 will remain the lowest- 
hanging fruit for the next few de- 
cades.” 

What part does computer equip- 
ment play in the demand for energy, 
and where must we focus to reduce 


/ consumption and improve energy ef- 


ficiency? 

In August 2007, the Environmental 
Protection Agency (EPA) issued a re- 
port to Congress on energy efficiency 
of servers and data centers.* Some key 
findings from the report include: 

» Servers and data centers con- 
(kilowatt 
hours) in 2006. This was 1.5% of total 
U.S. electricity consumption that year, 
amounting to $4.5 billion in electric- 
ity costs—equivalent to 5.8 million av- 
erage U.S. households. 

> Electricity use in this sector dou- 
bled between 2000 and 2006, a trend 
that is expected to continue. 

» Infrastructure systems necessary 
to support the operation of IT equip- 
ment (for example, power delivery and 
cooling systems) also consumed a sig- 
nificant amount of energy, compris- 
ing 50% of annual electricity use. 

Excerpts from the EPA report are 
shown in the accompanying figure 
and table. There are two particularly 
notable points in the data. The first 


| is that as much energy is being con- 


sumed by site infrastructure as by 


| the computing equipment itself. This 


infrastructure primarily represents 
heating, ventilation, and air-condi- 
tioning (HVAC) equipment, as well 
as that used to convert and transmit 
power and to maintain its continu- 
ity (the latter includes transformers 


and in-building power-switching and 


transmission equipment, as well as | 


power-conditioning and sustaining 
equipment such as uninterruptible 
power supplies). This factor is of great 
consequence, but may not be the most 
obvious domain for computing pro- 
fessionals to address. 

Within the computing equipment 
itself, however, is the second point of 
interest. Of the five types of IT equip- 
ment studied, volume servers alone 
were responsible for the majority 


(68%) of the electricity used. Assum- | 


ing that the 17% CAGR (combined an- 
nual growth rate) of volume servers 
continues, this suggests that they are 
the prime targets for energy reduction 
in the server space. The 20% growth 
rate of storage devices shown here—a 
rate that more recent data suggests is 
accelerating—indicates another sig- 
nificant trend. 

If the exponential growth of data- 
center computing equipment revealed 
by this study continues, roughly dou- 
ble the demand for electricity seen 
in 2006 is expected in data centers by 


MARCH 2010 


| 2011. This poses challenges beyond 


VOL. 53 


the obvious economic ones. For ex- 
ample, peak instantaneous demand is 
expected to rise from 7GW (gigawatts) 
in 2006 to 12GW in 2011, and 10 new 
base-level power plants would be 
needed to meet such a demand. 
Physical limitations on power 
availability are already a constraint 
for data centers in some areas; a man- 
aging director of IT for Morgan Stan- 
ley recently observed that the compa- 
ny is no longer able physically to get 
the power needed to run a new data 
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Electricity use by end-use component—2000 to 2006. 
Source: EPA report to Congress on server and data center energy efficiency® 
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Electricity use by end-use component—2000 to 2006. 
Source: EPA report to Congress on server and data center energy efficiency 


2000 2006 2000-2006 
Electricity use Electricity use Electricity use 
End use component (billion kWh)  % Total (billion KWH) % Total CAGR 
Site infrastructure 14.1 50% 30.7 50% 14% 
Network equipment 14 5% 3.0 5% 14% 
Storage i al 4% 32 5% 20% 
High-end servers a 4% 15 2% 5% 
Mid-range servers 25 9% 2.2 4% -2% 
Volume Servers 8.0 29% 20.9 34% 17% 
Total 28.2 61.4 14% 


center in Manhattan. The situation is 
serious. Corporations such as eBay, 
Google, Amazon, Microsoft, and Ya- 
hoo have pursued suitable locations 
where the data centers required to 
run their contemporary Web applica- 
tions and services can be construct- 
ed.’ A number of these companies 
have already negotiated with certain 
states in the U.S., as well as interna- 


tionally, to construct these facilities, _ 


along with the power plants neces- 
sary to supply them. A few years ago 
Google touched off what some jour- 
nalists deemed “a modern-day arms 
race” when it situated a new facility 
along the Columbia River in Wash- 
ington. The combined benefits of 
lower land cost, lower external ambi- 


ent temperature, and the availability | 


of running water for cooling and hy- 
droelectric power generation could 
provide an antidote both to Google’s 
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acute energy-availability problems 
and its cost. 

There is some evidence®* that the 
amount of energy consumed by mobile 
and desktop computing equipment 
is of roughly the same magnitude as 
that used by servers in data centers, al- 
though we do not have a correspond- 
ingly comprehensive and authorita- 
tive current study to refer to. The EPA 
data presented here provides some 
detailed perspective on where the en- 
ergy goes in the important and grow- 
ing server segment of the computing 
landscape. Also, some foundation has 
already been laid in the mobile and 
desktop computing space asa result of 


a The U.S. Energy Information Administration 
(www.eia.doe.gov) showed a figure of 23.1 
terawatt hours per year consumed by PCs and 
printers within U.S. households in 2001.* The 
figures were similar in 2006." 


VOL, 53 NO. 3 


the earlier focus of the EPA’s EnergyS- 
tar program on consumer electronics, 
which includes computer systems. 


Power and its Management in 
Computer Systems Today 

Perhaps the key factor to consider 
with today’s computer systems is that 
the amount of power they consume 
does not adjust gracefully according 
to the amount of work the system is 
doing. The principal design objective 
for most general-purpose computer 
systems to date has been to maximize 
performance—or, perhaps, perfor- 
mance at a given price point—with 
very little consideration given to en- 


| ergy use. This is changing rapidly as 


we near the point where the capital 
cost to acquire computing equipment 
will be exceeded by the cost of energy 
to operate it—even over its relatively 
short (3- to 5-year) amortization peri- 
od—unless we pay some attention to 
energy-conscious system design. 
Although the case has been made 
for energy-proportional comput- 
ing’—meaning the amount of power 
required corresponds directly to a 
system’s (or component’s) degree of 
utilization—this is far from the cur- 
rent situation. Many components of 
computer systems today exhibit par- 
ticularly poor efficiencies at low levels 
ofutilization, and most systems spend 
a great proportion of their time oper- 
ating at relatively low-usage levels. 
Power supplies have been notorious 
for their inefficiency, especially when 
at low load, and fans can waste much 
energy when operated carelessly. In 
just four years, however, the efficien- 
cy of power supplies has improved.! 
Indeed, algorithms that adjust fan 
speeds more continuously in relation 
to thermal need, rather than using 
just a few discrete speed points, are 
emerging. The majority of hardware 
components in today’s computer sys- 
tems must still be managed explic- 
itly, however, and the current widely 
deployed conceptions and facilities 
for power management in computer 
systems remain rudimentary. 


Power Management 

There are two basic modalities for 
power management: a running vs. 
suspended (not-running) aspect in 
which a component (or whole system) 


can be powered off when it is not be- | 


ing used (that is, once it has become 
idle), but turned on again when it is 
needed; and a performance-adjust- 
ment aspect (while running) in which 
the performance level of a component 
can be lowered or raised, based on 
either the observed level of its utiliza- 
tion or other needs of the workload. 
The running versus not-running 
choices is often called the compo- 
nent’s (or system’s) power states. 
While there is a single state to rep- 
resent running, there may be more 
than one suspended state. The lat- 
ter allows power to be removed from 
progressively more of the hardware 
associated with the component (or 
system) if there is some important 
power-relevant structure to its im- 


plementation. CPUs, for example, | 


may have their execution suspended 
simply by stopping the issuance of 
instructions or by turning off their 
clock circuitry. “Deeper” power states, 
however, might successively remove 
power from the processor’s caches, 
TLBs (translation lookaside buffers), 
memory controllers, and so on. While 
more energy is saved as more of a 
component’s hardware has its power 
removed, there is then either a greater 
latency to recommence its operation, 
or extra energy is required to save and 
restore the hardware’s contents and 
restart it, or both. 

The performance-adjustment choic- 
es while running are most naturally 
called the component’s performance 
states. A widely applied technique for 
adjusting performance is to change 
the component’s operating frequency. 
When clock speed is slowed, oper- 
ating voltage levels can also be re- 
duced, and these two factors togeth- 
er—normally called DVFS (dynamic 
voltage and frequency scaling)—re- 
sult in a compound power savings. 
Performance states were first intro- 
duced for CPUs, since processors 
are among the most consequential 
consumers of power on the hard- 
ware platform (something in the 
range of 35W (watts) to 165W is 
typical of a contemporary multicore 
CPU). Performance states might also 
be used to control the active cache 
size, the number and/or operating 


rates of memory and I/O intercon- 


nects, and the like. 


ACPI 

The most widely implemented archi- 
tecture for power management is the 
Advanced Configuration and Power In- 
terface (ACPI). It has evolved together 
with Intel architecture, the hardware 
platforms based on the most widely 
available commodity CPUs and re- 
lated components. Although there are 
many detailed aspects to the speci- 


fication, ACPI principally offers the | 


controls needed to implement the 
two power-management modalities 
just described. It defines power states: 
seven at the whole-system level, called 
S-states (SO-S6); and four at the per-de- 
vice level called D-states (DO-D3).” The 
zero-numbered state (SO for the sys- 
tem, or DO for each device) indicates 
the running (or active) state, while the 
higher-numbered ones are nonrun- 
ning (inactive) states with successively 
lower power—and_ correspondingly 
decreasing levels of availability (run- 
readiness). ACPI also defines perfor- 
mance states, called P-states (P0-P15, 
allowing a maximum of 16 per device), 
which affect the component’s opera- 


tional performance while running. 


Both affect power consumption. 


Energy Efficiency in Computing 

Although ACPI is an important de facto 
standard with reasonably broad sup- 
port from manufacturers, it provides 


| only a mechanism by which aspects 


of the system can be controlled to af- 
fect their power consumption. This 
enables but does not explicitly provide 
energy efficiency. Higher-level aspects 
of the overall system architecture are 
needed to exploit this or any similar 
mechanism. 

How does energy-efficient comput- 
ing differ from power management, 
and how would you know you had 


solved the energy-efficiency problem | 


for a computer system? Here is a sim- 
ple vision: “The system consumes the 
minimum amount of energy required to 
perform any task.” 

In other words, energy efficiency 


b_ Idiosyncratically, the power states for CPUs are 
called C-states (CO-C3). In any case, the seman- 
tics of each nonrunning power state is specific 
to the device (or device class) in question. 

c Energy is the time integral of power, so that for 
constant power, energy = power x time. Power 
and energy are different concepts and should 
not be confused. 
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| is an optimization problem. Such a 


system must adjust the system’s hard- 
ware resources dynamically, so that 
only what is needed to perform those 
tasks (whether to complete them on 
time, or analogously, to provide the 
throughput required to maintain a 
stated service level) is made available, 
and that the total energy used is mini- 
mized as a result. 

Traditionally, systems have been 
designed to achieve maximum perfor- 
mance for the workload. On energy- 
efficient systems, maximum perfor- 
mance for some tasks (or the whole 
workload) will still be desired in some 
cases, but the system must now also 
minimize energy use. It is impor- 
tant to understand that performance 
and energy efficiency are not mutu- 
ally exclusive. For example, even when 
achieving maximum _ performance, 
any resources that can be deactivat- 
ed, or whose individual performance 
can be reduced without affecting the 
workload’s best possible completion 
time or throughput, constitute energy 
optimization. 

Indeed, there are few (if any) situa- 
tions in which the full capacity of the 
hardware resources (that is, all operat- 
ing at their peak performance levels) 
on any system is exploited. Systems 
that strive to achieve maximum per- 
formance at all times are notoriously 
over-provisioned (and correspond- 
ingly underutilized). People involved 
in practical computer system design 
may note that our science is weak in 
this area, however. (This area might 
be called “dynamic capacity planning 
and dynamic provisioning.”) 

Energy optimization is obviously 
subject to certain constraints. Some 
examples follow. 


Required Performance 
Levels Must be Maintained 
Tasks with deadlines must he completed 
on time. In the general case, a deadline 
is specified for a task or the workload. 
When any deadline is specified that is 
less than or equal to the optimum that 
the system can achieve with any or all 
of its hardware resources, this implies 
maximum performance. This is effec- 
tively the degenerate case. 

Maximum performance fora task or 
the workload provides an implicit stip- 
ulation of the optimal deadline (to), or 
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“as soon as possible.”¢ In this case, en- 
ergy optimization is restricted to those 
resources that can be deactivated, or 
whose individual performance can be 
reduced, without affecting the work- 
load’s best possible completion time. 

If a deadline later than the best 
achievable deadline is specified, the 
computation may take any length of 
time up to this deadline, and the sys- 
tem can seek a more global energy 
minimum for the task (or workload). 
Deadlines might be considered “hard,” 
in which case the system’s energy-opti- 
mizing resource allocator must some- 
how guarantee to meet them (raising 
difficult implementation issues), or 
“soft,” in which case only a best effort 
can be tolerated. 

Services must operate at required 
throughput. For online services, the no- 
tion of throughput, in order to charac- 
terize the required performance level, 
may be more suitable than that of a 
completion deadline. Since services, in 
their implementation, can ultimately 
be decomposed into individual tasks 
that do complete, we expect there to be 
a technical analog (although the most 
suitable means of specifying its perfor- 
mance constraint might be different). 


The System Must be Responsive 

to Changing Demand 

Real workloads are not static: the 
amount of work provided and the re- 
sources required to achieve a given 
performance level will vary as they run. 
Dynamic response is an important 
practical consideration related to ser- 
vice level. 

Throughput (T) must be achievable 
within latency (L). Specification of 
the maximum latency within which 
reserved hardware capacity can be 
activated or its performance level in- 
creased seems a clear requirement, but 
this must also be related to the perfor- 
mance needs of the task or workload in 
question. 

Throughput is dependent on the 
type of task. A metric such as TPS 
(transactions per second) might be rel- 
evant for database system operation, 
triangles per second for the rendering 


d Allvalues of deadline: D = t;less than the short- 
est achievable deadline: to is equivalent to set- 
ting D=t, (thatis: {Vtti<to,[D=t] ~[D=t]}).We 
can therefore denote maximum performance 
byD=0. 


54 COMMUNICATIONS OF THE ACM MARCH 2010 


component of an image-generation 
subsystem, or corresponding mea- 
sures for a filing service, I/O intercon- 
nect, or network interface. Interactive 
use imposes real-time responsiveness 
criteria, as does media delivery: com- 
putational, storage, and I/O capacity 
required to meet required audio and 
video delivery rates. A means by which 
such diverse throughput requirements 
might be handled in practice is sug- 
gested here. 

Instantaneous power must never ex- 
ceed power limit (P). A maximum power 
limit may be specified to respect practi- 
cal limits on power availability (whether 
to an individual system or to a data cen- 
teras a whole). Insome cases, exceeding 
this limit briefly may be permissible. 

Combinations of such constraints 
mean that over-constraint must be 
expected in some circumstances, and 
therefore a policy for constraint re- 
laxation will also be required. A strict 
precedence of the constraints might 
be chosen or a more complex trade-off 


_ made between them. 


Approaching a Solution 
Given this concept for energy-efficient 


| computing, how might such a system 


be constructed? How would you expect 


_ an energy-efficient system to operate? 


A system has three principal aspects 


_ that could solve this problem: 


> It must be able to construct a power 
model that allows the system to know 
how and where power is consumed, 
and how it can manipulate that power 
(this component is the basis for enact- 
ing any form of power management). 

> The system must have a means 
for determining the performance re- 
quirements of tasks or the workload— 
whether by observation or by some 
more explicit means of communica- 
tion. This is the constraints-determi- 
nation and performance-assessment 
component. 

> Finally, the system must imple- 


| ment an energy optimizer—a means of 


deciding an energy-efficient configura- 
tion of the hardware at all times while 
operating. That optimization may be 
relative (heuristically decided) or abso- 
lute (based on analytical techniques). 
This is the capacity-planning and dy- 
namic-provisioning component. 

The first aspect is relatively straight- 
forward to construct. The third is cer- 
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tainly immediately approachable, 
especially where the optimization 
technique(s) are based on heuristic 
methods. The second consideration 
is the most daunting. It represents an 
important disruptive consequence of 
energy-efficient computing and could 
demand a more formal (programmat- 
ic) basis for communicating require- 
ments of the workload to the system. 
A description of the workload’s basic 
provisioning needs, along with a way to 
indicate both its performance require- 
ments and present performance, seem 
basic to this. 

A way of indicating a priori its ex- 
pected sensitivity to changes in pro- 
visioning of various system resources 
could also be useful. Fortunately, there 
are a number of practical approaches 
to energy efficiency to pursue prior to 
the refinements enabled by the hoped- 
for developments in category 2. 


Power Model 
In order to manage the system’s hard- 
ware for energy efficiency, the system* 
must know the specific power details 
of the physical devices under its con- 
trol. Power-manageable components 
must expose the controls that they 
offer, such as their power and perfor- 
mance states (D-states and P-states, 
respectively, in the ACPI architectural 
model). To allow modeling of power 
relative to performance and availability 
(that is, relative to its activation respon- 
siveness), however, the component in- 
terface must also describe at least the 
following: 

> The per-state power consumption 
(for each inactive state) or power range 
(for each active state). 

> State-transition latency (time re- 
quired to make each state transition). 

> State-change energy (energy ex- 
pended to change state). 

Once the system has such a power 
model, consisting of all its power-man- 
ageable hardware, it has the basic foun- 


e “The system” here most naturally suggests 
the operating system, although it is clear that 
this must include the hypervisor for virtual- 
ized systems. One can reasonably expect that 
this concept will need to be broadened to in- 
clude some aspects of the firmware and even 
hardware components (on the low end) and 
important runtimes, such as the Java Virtual 
Machine, which have responsibility for, and/or 
particular knowledge of, resource allocation. 


dation for operating to optimize en- 
ergy. Importantly, it has the knowledge 
of those components that consume the 
most power and those that have the 
most highly responsive controls that 
can be used to affect power use. 


Workload Constraints and 
Performance Assessment 

In its desire to limit the amount of ac- 
tive hardware and reduce its perfor- 
mance so as to minimize energy con- 
sumption, how is a system to know 
whether the tasks being run are still 
achieving enough throughput to main- 
tain appropriate service levels or real- 
ize their deadlines? 

The assessment of throughput is 
subject to the task or application in 
question. The operating system can 
observe the degree to which its vari- 
ous resources have been and are cur- 
rently being used, and it might use 
these observations as its best basis for 
prediction of future resource needs— 
thus shrinking or enlarging what is 
available. This is a relatively weak ba- 
sis to determine what the workload 
will need, especially to anticipate its 
dynamic responsiveness sensitivities. 
As a result, the system will have to be 
much more conservative about its re- 
duction of available resources or their 
performance levels. It seems clear that 
the best result will be realized if appli- 
cations assess their own throughput 
relative to their service-level require- 
ments or completion deadlines, and 
can convey that information to the op- 
erating system through an interface. 
The system can then use this informa- 
tion to make potentially much more 
aggressive resource adjustments and 
realize an improved overall energy- 
optimization solution accordingly. 

Here is the crucial dichotomy: the 
system is responsible for solving the 
energy-optimization problem subject 
to the resources it allocates, while the 
application is responsible for moni- 
toring its own performance level and 
informing the system so that appro- 
priate resources can be provided to 
meet them. 


Energy Optimization by the System 
Once provided with the hardware’s 
power characteristics, and possibly de- 
scriptive information from application- 
level software about its constraints, 


The system 
consumes 

the minimum 
amount of energy 
required to 
perform any task. 
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the operating system must begin the 
dynamic process of adjusting the hard- 
ware’s performance and _ availability 
levels to control power consumption 
and improve systemwide energy use. 
How can the operating system make 
such decisions? 

Heuristic methods. Provisioning for 
maximum throughput may, in some 
cases, optimize energy. This is the con- 
jecture that “[maximum] performance 
is green,” reflected in the ideas of race- 
to-idle or race-to-sleep.* Although there 
is some evidence that this approach 
has merit in client-side computing 
when the system becomes idle—espe- 
cially for embedded and mobile sys- 
tems where 95% of the energy may be 
saved if the entire system can be put in 
a suspended state—it is not clear how 
applicable this may be for server-side 
computing. A nonlinear increase in the 
power required to get linear speed-up 
(throughput) exists in some cases— 
Intel’s Turbo mode on contemporary 
CPUs is one example—and_ hence, 
the energy optimum will not be found 
at a provisioning and performance 
point commensurate with maximum 
throughput in all cases. 

A widely used heuristic for energy 
improvement on active systems is to 
adjust the hardware’s performance lev- 
el dynamically, based on its current uti- 
lization: downward with low utilization 
or upward with high utilization (utiliza- 
tion below or above some threshold for 
some duration). This can be an effec- 
tive technique but is restricted to situ- 
ations in which both the latency and 
energy to make the state change are so 
low as to be inconsequential. 

Constraints-based optimization as an 
approach. In some cases, it may be pos- 
sible to simplify the problem to such a 
degree to provide a complete analytical 


| solution. For example, if we consider 


only a single task on a single CPU with 
a well-understood power/performance 
trade-off, it is relatively straightfor- 
ward to specify completely a schedule 
in which the task will meet its dead- 
line with the minimum total energy; 
more general formal results are also 
possible.” This relies, however, on a 
number of assumptions, such as good 
estimates of the total work required by 
a process, which frequently do not hold 
up in practice. Weaker assumptions re- 
quire online optimization algorithms 


COMMUNICATIONS OF THE ACM 55 


practice 


to perform energy-aware scheduling. | 
There is some existing work in this | 
area but not yet enough to underpin a 

general-purpose operating system.” 

For an optimization-based ap- 
proach to be generally applicable, a 
range of techniques will be necessary. 
In the simplest cases, autonomous 
device-level operation is possible; for 
example, at the hardware level, a GPU 
can power down unused hardware 
pipelines aggressively, based solely on 
instantaneous assessment of their uti- 
lization levels, because the latency to 
bring those pipelines back up as they 
become necessary is inconsequential. 
Similar practices appear to be appli- 
cable in the use of CPU P-states (CPU 
performance and energy-cost adjust- 
ment based on voltage and frequency 
scaling), since both the state-transition 
energy and latency are very low. 

Hardware state changes that affect 
power but exhibit a much greater la- 
tency and/or a much greater amount 
of energy to make the state change re- 
quire a different treatment. An obvious 
example is spinning down a hard disk, 
considering the long latency to return it 
to running, but reactivation latency is 
not the only concern. Semiconductor 
memory systems in which part of the to- 
tal physical memory could be powered 
off if not required, and where power-on 
latency may be near zero, will still have 
a consequential transition energy, since 
a great many in-memory transactions 
may be required to gather the working 
set into those physical pages that will | 
remain active.’ Resources of this class | 
require greater knowledge of the task | 
or workload behavior, as well as an an- 
ticipatory treatment of the required 
hardware resources, to ensure that the 
activation latency can be tolerated or 
managed and that the state-change en- 
ergy will be exceeded by the energy that 
will be saved while in that state. 

Some common optimization tech- 
niques may be based on state-change 
latency, their energy demands, and so 
on, anda taxonomy of such techniques 
might arise from this—some formal or 
analytical, some based on more nu- 


f Itis interesting to consider whether tradition- 
al heuristics such as the Five-minute Rule, de- 
signed to optimize the memory hierarchy for 
performance, might have analogues in energy 
optimization. 
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Systems must 

be revised to pay 
attention to their 
use of energy; the 
operating system 
itself, which is 
always running, 
has not yet been 
optimized in its own 
use of energy. 
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merical or heuristic methods. 
Although we expect the specific 
techniques for energy optimization 
appropriate to different hardware 
resources or subsystems to be some- 
what different, subject to the prop- 
erties of the hardware resources in 
question, the hope is that the compo- 
sition of energy-efficiency optimizers 
for all such resources will accumulate 
to form an efficiency scheme for the 


whole system.® 


| Getting There 


The vision of systemwide concessions 
to energy efficiency cannot be accom- 
plished in a single swift step. Today’s 
systems software is not equipped in the 
ways described, nor are applications 
written in a way that could exploit that 
capability. In pragmatic terms, how do 
we expect this outcome to be achieved, 
and what steps are already under way? 
As a first consideration, systems 
must be revised to pay attention to 
their use of energy; the operating sys- 
tem itself, which is always running, has 
not yet been optimized in its own use of 
energy. To date, almost all software, in- 
cluding systems software, has been op- 
timized for performance, robustness, 
and scalability with no consideration 
of energy. An initial step, therefore, is 


_ the redesign and implementation of 
| the operating system so that its opera- 


tion is energy efficient. This is a signifi- 
cant undertaking, and its full implica- 
tions are not yet well understood. 

It is not clear whether modifying 
existing operating systems to consider 
energy as a first-class constraint is fea- 
sible, although this would certainly be 
preferable. Experience with system se- 
curity shows that attempts to introduce 
such fundamental considerations after 
the fact are fraught with complications. 
We can certainly anticipate fundamen- 
tal new structures within systems soft- 
ware, and perhaps even that new oper- 
ating systems will emerge as a result of 
the energy-efficiency pressure. 

At the very least, resource-manage- 
ment facilities within the operating sys- 


| g We recognize that such reductionism may 


be overly optimistic if there are interactions 
between the resources allocated by different 
subsystems, and that a more holistic approach 
(e.g.,a large dynamic-programming approach) 
may then be necessary in systems where “every 
joule counts.” 


tem must be adapted for energy aware- 
ness, and then for energy optimization. 

Processors. Given the significant 
fraction of power on contemporary 
computing platforms attributed to 
CPUs (and the early introduction of 
power-management features on them 
as a result), much progress has already 
been made with operating-system 
schedulers/thread dispatchers. Care- 
less activation of hardware when there 
is no useful work to be done must be 
eliminated. Polling within the operat- 
ing system (or within applications) is 
an obvious example, but the use of a 
high-frequency clock-tick interrupt 
as the basis for timer events, time- 
keeping, and thread-scheduling can be 
equally problematic. The objective is to 
keep hardware quiescent until needed. 
The “tickless” kernel project’® in Linux 
introduced an initial implementation 
of a dynamic tick. By reprogramming 
the per-CPU periodic timer interrupt 
to eliminate clock ticks during idle, 
the average amount of time that a CPU 
stays in its idle state after each idle state 
entry can be improved by a factor of 10 
or more. Beyond the very good ideas 
that dynamic ticks and deferrable tim- 
ers in Linux represent, the Tesla proj- 


ect in OpenSolaris is also considering | 
what the transition to a more broadly | 


event-based scheme for software devel- 
opment within the operating system 
might imply. 

The confluence of features on mod- 
ern processors—CMT (chip multi- 
threading), CMP(chip multiprocessor), 
and NUMA (non-uniform memory ac- 
cess) for multiprocessor systems with 
multiple sockets—invites a great deal 
of new work to implement optimal- 
placement thread schedulers.° Given 
the ability to alter performance levels, 
energy efficiency and the expected in- 
troduction of heterogeneous multicore 
CPUs? will only add intrigue to this.” 


Storage. Compared with CPUs, the | 


power consumed by a disk drive does 
not seem especially large. A typical 
3.5-in., 7200RPM commodity disk con- 
sumes about 7W to 8W—only about 


10% of what a typical multicore CPU | 


h Heterogeneous here means a multicore CPU 
in which cores of different performance levels 
(different CPU microarchitectures) are put in 
the same multicore package, and whose pow- 
er-consumption consequences are therefore 
very different. 


consumes. Although higher-perfor- 
mance 10,000RPM spindles consume 
about 14W, and 15,000RPM drives 
perhaps use around 20W, what is the 
worry? The alarming relative rate of 
growth in storage, mentioned earlier, 
could quickly change the percentage 
of total power that storage devices ac- 
count for. Performance and reliabil- 
ity factors have already resulted in 
the common application of multiple 
spindles, even on desktop systems (to 
implementa simple RAID solution). In 
the data center, storage solutions are 
scaling up much faster. 

Low-end volume server boxes now 
routinely house a dozen or more drives, 
and one example 4U rack-mount stor- 
age array product from Sun accom- 
modates 46 3.5-in. drives. A single 
instance of the latter unit, if it used 
10,000RPM- or 15,000RPM industrial 
drives, might therefore account for 
1,088W to 1.6kW, rather a more signifi- 
cant energy-use picture. 

Storage subsystems are now obvi- 
ously on the radar of the energy atten- 
tive. There are at least two immediate 
steps that can be taken to help improve 
energy consumption by storage devic- 
es. The first is direct attention to energy 
use in traditional disk-based storage. 
Some of this work has been started by 
the disk hardware vendors, who are be- 


ginning to introduce disk-drive power | 


states, and some have been started by 
operating-system developers working 
on contemporary file systems (such 
as ZFS) and storage resource manage- 
ment. The second, particularly derived 
from the recent introduction of large 
inexpensive Flash memory devices, is 
a more holistic look at the memory/ 
storage hierarchy. Flash memory fills 
an important performance/capacity 
gap between main memory devices and 
disks,!°"! but also has tremendous en- 
ergy-efficiency advantages over rotating 
mechanical media. 

Memory. Mainmemory, because ofits 
relatively low power requirement (say, 
2W per DIMM), seems at first glance to 
be of even less concern than disks. Its 
average size on contemporary hardware 
platforms, however, may be poised to 
grow more rapidly. With hardware sys- 
tem manufacturers’ focus primarily on 
performance levels (to keep up with the 
corresponding performance demands 
of multicore CPUs), maintaining full 
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CPU-to-memory bandwidth is critical. 
The consequence has been an evolu- 
tion from single- to dual-channel and 
now triple-channel DIMMs along with 
the corresponding DDR, DDR2, and 
DDR3 SDRAM technologies. Although 
reductions in the process feature size 
(DDR3 is now on 50-nanometer tech- 
nology) have enabled clock frequency 
to go up and power per DIMM to go 
down somewhat, the desire for even 
greater performance via an increase in 
DIMMs per memory channel is still in- 
creasing the total power consumed by 
the memory system. 

For example, a current four-socket 
server system (based on the eight-core 
Sun Niagara2 CPU) with 16 DIMMs 
per socket using DDR2 dual-channel 
memory technology, has 64 DIMMs to- 
tal. This would increase to 24 DIMMs 
per socket (96 total) if its faster succes- 
sor used DDR3 triple-channel memory 
instead. A representative DDR2 DIMM 
consumes 1.65W (or 3.3W per pair), 
whereas the lowest-power edition of the 
current DDR3 DIMMs consume 1.3W 
(or 3.9W per trio). The result appears to 
be an increase of only 20% power con- 
sumption—from about 100W to 120W 
total in our example. 

Given that the next-generation CPU 
will also have twice as many cores per 
socket, however, a possible scenario is 
also to desire twice the number of mem- 
ory sets per socket (for a possible 192 to- 
tal DIMMs) to balance overall memory 
system performance. The result, there- 
fore, could be an increase from 100W 
to 240W (a 140% increase in power con- 
sumption for the whole memory sys- 
tem)! This trend is even being observed 
on desktop-class machines, admittedly 
at a much smaller scale, as systems 
containing quad-core hyperthreaded 
CPUs (such as Intel’s Nehalem) have 
appeared. 

If available physical memory is to be 
enabled and disabled, and perhaps cor- 
respondingly reconfigured as a system’s 
processing capacity is dynamically 
adjusted, some new functionality will 
be required of the operating system’s 
memory-management subsystem. The 
design of a future-looking virtual mem- 
ory system that is energy aware and able 
to adjust physical memory resources 


| while running is an open problem. 


I/O. Energy aspects of the I/O sys- 
tem on hardware platforms will likely 
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become more important as well. As 
a simple example, present-day local- 
area networking interconnect and 
subsystems have evolved in two im- 
portant respects: link-aggregation is 
increasingly used to bolster network 
bandwidth and reliability; and individ- 
ual interconnect speed has advanced 
from 1GB to 10GB, with 40GB on the 
horizon. A transceiver for a 10GB net- 
work interface card may now require 
as much as 14W when operating at full 
speed, with a consequential power re- 
duction when its link speed is reduced 
to 1GB or lower (about 3W at 1GB, 1W 
at 100MB). Other high-speed intercon- 
nects such as InfiniBand can be ex- 
pected to have similar energy consid- 
erations for the overall system. Little 
attention has been given to the energy 
implications of communication inter- 
connects in any of their various archi- 
tectural manifestations, from on-chip 
to wide area networking. 


The Evolution of 

Application Software 

The most strategic aspect of energy- 
efficient computing will be the evo- 
lution of application software to fa- 
cilitate systemwide energy efficiency. 
Although we can certainly expect new 
application interfaces to the system 
software supporting the develop- 
ment of new energy-efficient applica- 
tions, the transition of historical and 
present-day applications represents a 
long-term evolution. How will we ad- 
dress the problem of greater energy 
efficiency for the remainder of the 
installed base in the interim? Obvi- 
ously, it will not be brought about as 
the result of a unique epoch in the 
implementation of all existing appli- 
cations. 

One possibility for addressing the 
energy agnosticism of existing appli- 
cations is to perform extrinsic analysis 
of their runtime behavior. Empirical 
data can be gathered about the degree 
to which application performance’ is 
sensitive to varying levels and types of 
resource provisioning. For example, 
one can observe the degree to which 
performance is increased by the addi- 
tion of CPU resources, or the allotment 


i This assumes one can define some objective 
external metric of performance, which may be 
problematic. 
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of a CPU with higher-performance mi- 
croarchitecture, and so on.'° The ap- 
plication might then be labeled, in its 
binary form, with its measured degree 
of sensitivity, without requiring the 
alteration of its existing implemen- 
tation. The operating system could 
then use the data to assign resources 
that pursue a certain specified perfor- 
mance level or to locate an appropriate 
performance-versus-energy consump- 
tion trade-off. 

Inevitably, we expect that a combi- 
nation of techniques will be needed: 
both explicit, in which the applica- 
tion itself informs the system of its 
throughput and resource provisioning 
needs; and implicit, in which static 
and dynamic analysis is used to model 
resource needs relative to performance 
and energy consumption. 


Conclusion 

We are still at the debut of energy- 
conscious computing, with a great 
deal of the industry’s attention being 
given to the introduction and use 
of power-management mechanisms 
and controls in individual hardware 
components rather than to the broad- 
er problem of energy efficiency: the 
minimization of total energy required 
to run computational workloads ona 
system. This article suggests an over- 
all approach to energy efficiency in 
computing systems. It proposes the 
implementation of energy-optimi- 
zation mechanisms within systems 
software, equipped with a power 
model for the system’s hardware and 
informed by applications that suggest 
resource-provisioning adjustments 
so that they can achieve their required 
throughput levels and/or completion 
deadlines. 

In the near term, a number of heu- 
ristic techniques designed to reduce 
the most obvious energy waste asso- 
ciated with the highest-power com- 
ponents, such as CPUs, are likely to 
remain practical. In the longer term, 
and for more effective total energy 
optimization, we believe that tech- 
niques able to model performance 
relative to the system’s hardware con- 
figuration (and hence its energy con- 
sumption), along with an improved 
understanding and some predictive 
knowledge of workloads, will become 
increasingly important. 
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To succeed on a global scale, businesses 


| should focus on a trio of key elements. 


| BY SIEW KIEN SIA, CHRISTINA SOH, AND PETER WEILL 


Global IT 


Management 


Structuring for 
Scale, Responsiveness, 
and Innovation 


GLOBALIZATION IS A Significant factor in today’s business 
strategies,® as companies in mature markets 

seek growth by expanding their operations in the 
emerging markets of Asia, Latin America, Eastern 
Europe, and the Middle East. These multinational 
companies (MNCs) have to extend their existing 
portfolio of IT applications, infrastructure, and 
services to support their global business strategies. 


However, managing globally distribut- 
ed IT resources is challenging. Visibil- 
ity of such resources is often poor, as 
the local IT unit may not report back 
to central IT, and in many firms there 
is no enterprisewide IT budget man- 
agement. For most firms there is also 
an inherent global-local tension to si- 
multaneously achieve three strategic 
objectives: scale, responsiveness, and 
innovation. To balance the trade-offs, 
practice and research in the structur- 
al design of IT has moved away from 
the IT centralization-versus-decen- 
tralization debate to more nuanced 
forms of IT organizational design. 
These include the federal structure," 
hybrid governance,° “centrally decen- 
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tralized” governance,'’ and matrixed 
governance."® 

These “hybrid” structures recog- 
nize that the various types of IT ac- 
tivities have different operating char- 
acteristics and economics and thus 
should be managed differently. Some 
researchers, for example, have found 
the management of IT infrastructure 
is usually centralized, while the man- 
agement of IT use is often decentral- 
ized. The development of IT appli- 
cations resides in the local units for 
some organizations, or at central IT 
for others, while a third group has ap- 
plications development capabilities 
at both central and local units. Agar- 
wal and Sambamuthy' noted three 
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variants—the partner, platform, and 
scalable model—where the decision 
rights for each of eight IT value pro- 
cesses (for example, infrastructure 
management, solutions delivery, and 
strategic planning) could be central- 
ized, decentralized, or shared. Allocat- 
ing decision rights differently for dif- 
ferent IT activities was also at the heart 
of the matrix governance proposed by 
Weill and Ross'*’—who identified dif- 
ferent configurations for making five 
key IT decisions—IT principles, IT ar- 
chitecture, IT infrastructure, business 
application needs, and IT investment 
and prioritization. 

The features of hybrid structures re- 
main under-studied, particularly as in- 
creasing globalization has resulted in 
continuing evolution of the structure 
of the IT function. Ineffective global 
IT structures result in the duplication 
of resources, proliferation of IT sys- 
tems, increased complexity and risk, 
and the compromise of key business 
requirements such as agility. Here, 
we ask how are hybrid IT structures 


implemented in the global context 
to balance the global-local tensions 
while achieving scale, responsiveness, 
and innovation? 


Structuring the Global 

IT Organizations 

We examine this question through 
in-depth studies of four industry lead- 
ing MNCs that have established a 
strong global presence, particularly 
in emerging markets such as Asia. 
The four companies represent a di- 
verse set of industries. Microsoft de- 
velops, manufactures, licenses, and 
markets software in 90 countries. In- 
tel is the world’s largest producer of 
semiconductor chips and operates 
in 60 countries. Procter and Gamble 
is a leading manufacturer and mar- 
keter of consumer products in three 
sectors—beauty care, household care, 
and health and well being—across 
more than 180 countries. Underwood 
Financials (pseudonym), is among the 
top 10 investment banks globally, op- 
erating in 60 countries, and continues 


Table 1. Examples of P&G Global Business Services. 


Employee Services and Solutions 
Employee Services 


Pay, benefits, policies, career development, work plans 


People Management 


Compensation planning, relocation, employee 


management tools 


Facilities 


Office moves, conveniences: banking, dining, fitness centers, 


mail and documents 


Computers and Communications 


PCs, email, mobile phones, Intranet, service support 


Meetings Rooms, technology and scheduling, audio and video 
conferencing, events 
Travel Booking, expense accounting, credit cards, group meetings 


Business Services and Solutions 


Strategic Sourcing and 
Procurement 


Strategic sourcing, supplier relationship management, 
procurement service 


Financial Services and Solutions 


General ledger, affiliate accounting, product/fixed asset 


accounting, SRAP/MSA accounting, purchases-to-payment 
(include accounts payable), banking, financial reporting 


Product Innovation 


Bioinformatics systems, product imaging and 


modeling systems 


Supply Network Solutions 


Demand planning systems, total order management, 


physical distance systems 


Consumer Solutions Prime prospect research, CRM systems, advertising and 
media measurement 
Customer Solutions Shopper intelligence, in-store action planning, trade fund 


management systems 


Initiative Management 


Technical package and materials design, package artwork 


process, portfolio tracking, and reporting 


Business Performance Solutions 


Decision cockpits, market mix modeling, competitive 


intelligence, ad hoc business analyses 
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to perform relatively well even in the 
current economic downturn. 

We interviewed between two and six 
executives (a few with multiple inter- 
views) in each firm including the CIO, 
examined internal documents such 
as organization charts, and publicly 
available information such as annual 
reports, analyst reports, and news re- 
ports. Our interview questions were 
concerned with how these companies 
had set up and managed their global 
IT structures with a particular focus 
on the fast-growing Asian region. 

Our findings showed that, despite 
the variation in industry, all the MNCs 
studied used three common structur- 
al elements to link the enterprisewide 
IT leadership (who design and over- 
see enterprisewide IT governance, 
the IT budget, and portfolio manage- 
ment, enterprise architecture, and 


| enterprise risk management), and the 


more locally focused concerns of the 
business units. Although companies 
sometimes labeled these elements 
differently, such as, shared services, 
centers of excellence (CoEs), and value 
managers (VMs), the goals of each ele- 
ment were the same across the firms. 
The objective of shared services was to 


| achieve scale economies; the objective 


of CoEs was to drive innovation; and 
the objective of value managers was 
to enable responsiveness. The three 
structural elements are described 
here in detail. 

IT Shared Services are structural 
units that consolidate common IT 
functions (for example, helpdesk, 
operations, development) to achieve 
scale by providing standardized ser- 
vices. Such sharing eliminates un- 
necessary duplication of IT resources 
and improves utilization of IT assets. 
Global MNCs often have three shared 
service units located in the Americas, 
Europe, and Asia focused on delivery 
within their respective regions and 
serving as backups for the other re- 
gions. Microsoft, for example, created 
regional shared services at Richmond 
(corporate headquarters serving North 
America), Dublin (serving Europe, 
Middle East, and Latin America), and 
Singapore (serving Asia) to manage IT 
services across the globe. 

Shared service units can offer a 
wide range of IT services, allowing the 
local business units to choose from 


a catalog of IT services. The global- 
local tension here is to encourage lo- 
cal units to use more of the shared 
services while still meeting the diverse 
needs of the local units. For example, 
as a $90 billion global enterprise oper- 
ating in more than 180 countries and 
marketing over 250 brands to nearly 
five billion consumers, P&G created 
the Global Business Services (GBS) 
unit in 1999. GBS provides a set of 70 
IT services on a global scale with pub- 
lished IT unit costs and service-level 
agreements. To provide around-the- 
clock business support worldwide, 
three shared-services centers have 
been built: in San Jose, Costa Rica; in 
Newcastle, U.K.; and in Manila, Philip- 
pines. GBS strategy is to provide best- 


in-class business support services at | 


the lowest possible costs. 

P&G draws on its strong marketing 
culture to package and offer a catalog 
of services to its business units across 
the globe. The catalog embodies two 
principles of effective marketing— 
simplicity and choice (with transpar- 
ent pricing). P&G filters the “best- 
in-class” service offerings down to a 
single-page catalog in two “shopping 
aisles’—Employee Services and Busi- 
ness Services (see Table 1). Brands 
who consume these services still 
have control and choice even though 
some of the solutions are mandated. 
Within the mandated solutions, there 
are several tiers of service with differ- 
ent prices. Brand units can influence 
their costs by choosing a tier of service 
and influencing the number of units 


of service consumed. Pricing is also | 


dependent on the region. To encour- 
age business units to adopt the shared 
solutions, GBS guarantees a 10%-30% 
cost reduction initially. 

An annual “glide-path” of unit 
price reduction is also built in. Brand 
units are thus incentivized to phase 
out their local services increasing the 
shared service stack to achieve more 
global scale and allowing the local 
units to focus more on meeting the 
needs of the external customer. An- 
other benefit of shared services is to 
make the cost of each IT service trans- 
parent so it can be managed. Previ- 
ously these costs were often hidden or 
not managed. To achieve such flexible 
service delivery requires sophisticated 
IT financial management. IT service 


design, internal marketing, pricing, 
and service optimization and innova- 
tion are performed by P&G personnel 
while the delivery is outsourced. GBS’s 
capability extends beyond IT includ- 
ing financial, sourcing, and HR servic- 
es. P&G have identified over $600 mil- 
lion in savings from shared services 
and credits GBS in helping to absorb 
its large acquisition of Gillette in only 
15 months.* 

For the MNCs we studied, IT shared 
services achieved scale by brokering 
and incentivizing the use of standard- 
ized IT services across the firms, thus 
removing cost, duplication, and com- 
plexity. Some MNCs then outsourced 
the bulk of those shared services to ex- 
ternal service providers who have even 
greater economies of scale. 

IT Centers of Excellence (CoEs) are 
also known as competency centers or 
centers of expertise. CoEs are units that 
contain strategic IT capabilities iden- 
tified by the firm as important sources 
of value creation and service innova- 
tion. CoEs are specialized units where 
the MNCs pool expertise physically or 
virtually across the globe. These units 
often do not have operational respon- 
sibilities but they serve as strategic 
resources that focus on designing and 
developing new solutions, such as, to 
innovate, and to develop depth in criti- 
cal expertise. CoEs we encountered 
included those focused on application 
development, key business processes 
(for example, trade processing) and 
specific technologies or IT platforms 
(for example, EDI). 

Underwood Financials has groups 
of IT experts who are co-located with 
the respective global product heads 
(foreign exchange, bonds, money 
market, equities, among others) in the 
HQ where new innovations in finan- 
cial products typically occur. These IT 
specialists have in-depth IT and busi- 
ness domain expertise, and they work 


_ closely with the business to design 


and develop new IT solutions. The 
bank’s ability for fast-to-market prod- 
uct launch globally is often dependent 
on their ability to respond with the 


necessary IT solutions. The day-to- | 


day operations of the specific product 
platforms developed are handled by 
the shared services. These IT experts 
serve only as a third-level support for 
complex problems that cannot be re- 
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solved by first- and second-level tech- 
nical support. 

Microsoft, similarly, has created 
the Corporate Solution Deliveries (SD) 
group comprised of specialized IT ap- 
plication developers led by about 40 
solution directors who are located with 
the businesses and work closely with 
senior VPs in each major line of busi- 
ness to translate their intimate busi- 
ness understanding into the designing 
and developing global solutions. In the 
case of Intel, such pools of IT experts 
are known as Capability Groups and 
they focus on enhancing four major IT 
application development capabilities, 
namely, the supply-net capability, cus- 
tomer capability, enterprise capability, 
and platform capability. The customer 
capability group even reports outside 
IT to Sales and Marketing for tighter 
business-IT alignment in developing 
innovative IT solutions. 

As CoEs are designed to provide 
the firm expertise and innovation in 
critical areas, they are typically cen- 
trally coordinated with the head office 
identifying the areas of excellence and 
where they will be located. MNCs are 
beginning to locate some of their IT 
CoEs in Asia to take advantage of local 
talent and cost advantages. P&G locat- 
ed its CoE for mobile marketing in the 
Philippines to tap into the high usage 
of mobile phones in Asia. As part of the 
company’s strategic innovation initia- 
tive the innovations from this CoE will 
be diffused to the global market. 

Value Managers (VMs) are groups of 
IT managers that seek to maximize the 
value of IT for specific business units. 
VMs, sometimes called customer re- 
lationship managers, focus on the IT 
needs for business units, business 
functions, and large or fast growing 
geographical markets. Within the con- 
straints laid out by central IT, the VMs 
must ensure key business require- 
ments unique to these customers are 
not overlooked. They build deep rela- 
tionships with these business custom- 
ers and support their needs for respon- 
sive IT globally. VMs are organized so 
that the voices of its key customers can 
be heard, consolidated, and appro- 
priately channeled for prioritization. 
Equally important, effective VMs also 
have responsibility to help implement 
enterprisewide IT initiatives within 
these customer units. Examples of 
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Table 2. General characteristics of the three structural elements. 


Structural 
Elements Objective Organization Approach 
IT Shared To achieve global/regional By major IT functions, Drive scale via: 
Services scale for cost efficiency IT or business process > active service 
while allowing some local services: management and 
choices via > catalog of services transparency 
> global scale/scope offered, for example, > standardization 
> global sourcing application and > consolidation 
of IT resources infrastructural services > process improvement 
> global common > typically located in > service quality 
platform lower cost regions > sourcing 
> some services 
Heavily resource-intensive outsourced to external 
vendors. 
KPIs: service level 
agreement, unit cost, 
simplicity 
ITCenters = To innovate and develop By innovative technologies Drive innovation via: 


of Excellence best practices via 
> global coordination 
of capabilities 
> global pooling 
of IT expertise 


Heavily knowledge- 
intensive 


KPIs: # of new global 
solutions developed, time to 
market for new application, 
reuse of best practice 
across firm, business 
process performance, and 


or strategic capabilities: 
> centrally coordinated 
> may be located 
outside HQ 
> can be virtual by 
pooling distributed 
experts 


> pooling deep 
internal knowledge 
and expertise 

> investment into 
experimentation 
and innovation 

> applying and sharing 
best practices 
enterprisewide 


so on. 
IT Value To maximize the value By major business 
Managers of IT for specific groups dimensions: 
in the firm via > strategic lines 
> being responsive to of business 
local needs through > important business 
a single face of IT functions 
> advocating for > large or fast growing 
customer units geographical markets 
to central IT > major external 
> helping implement customers 
enterprisewide 
initiatives locally 
Heavily relationship- 
intensive 
KPIs: customer 
satisfaction, business-IT 
alignment, partnership 
maturity, among others. 
centrally initiated enterprisewide 


Push for responsiveness 
via: 
> proximity to customer 
units to capture voice 
of the customer 
> simultaneous proximity 
to central IT 
> constructive negotiation 
and facilitation of 
conflict resolution 


is overseen by an International IT VP 


programs are global ERP implemen- 
tations, collaboration tools, and cost- 
cutting efforts. One CIO put it well: 
“Without the second objective of im- 
plementing enterprisewide initiatives 
those folks (VMs) go feral and have loy- 
alty only to the local units.” 

Microsoft has an extended field IT 
structure that covers its geographical 
market across 106 countries. Field IT 


62 COMMUNICATIONS OF THE ACM | MARCH 2010 


reporting to the Global CIO. Below the 
International IT VP are the IT manag- 
ers for three regions: North America, 
Europe/Middle East/Latin America, 
and Asia. The Asia region, for example, 
further cascades down to 13 regional 
clusters. These IT managers play a 
brokering role, such as in represent- 
ing Central IT to influence and nego- 
tiate with the regional business own- 
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ers, as well as the customer advocates 
in championing the interests of these 
business units and ensuring they de- 
rive adequate value from IT. 

In one MNC, for example, when a 
new business in a major Indian city 
required an application for its fast- 
growing business, the local general 
manager wanted it delivered in six 
weeks, and was willing to pay for the 
required resources. Conformance with 
the global organization’s IT approval, 
development, and quality processes, 
however, would require six months. 
The IT manager (VM) assessed that de- 
lay would impact the business growth, 
and negotiated a solution to put a pro- 
gram manager to work with the local 
GM’s resources in meeting the local 
business’ timeline. The VM ensured 
the new system met global guide- 
lines on security and architecture. In 
another example, the global human 
resource application was unable to 
handle the high volume of recruit- 
ment in an Asian office. As the time 
required to change the global applica- 
tion would take too long, the IT man- 
ager (VM) negotiated for a short-term 
module to be created, while providing 
input to the global applications team. 
The short-term module would be used 
until the rollout of the next version of 
the global HR solution which includ- 
ed the new requirement to process the 
higher recruitment volume. 

The “voice of the field” provided 
through the VMs in emerging markets 
can also be a source of global inno- 
vation. Through such feedback, P&G 
recognized the need for new IT appli- 
cations to cater to the needs of Asian 
businesses. In one example, P&G 
noted a difference in the sales dis- 
tribution model as Asian consumers 
tend to shop more frequently and in 
smaller quantities, and hence, began 
developing IT systems to support the 
fast growing “high frequency stores” 
segment. These systems are expected 
to be useful in other emerging regions 
as well. Another example is P&G’s SKIT 
beauty product, which originated in 
Japan and has grown to become one 
of the premium brands in the global 
cosmetic market. The product distri- 
bution for SKII operated on a differ- 
ent business model from P&G’s mass 
market positioning, as it was sold in 
department stores with dedicated 


counter sales consultants. To support 
the high-touch sales model, systems 
were built to automate counter opera- 
tions, to track transactions for each 
customer, and to provide analysis of 
sales/marketing plans by customer 
segment. The systems significantly 
increased the efficiency for the thou- 
sands of sales consultants in Japan. 
The SKII line, together with the en- 
abling systems, has been successfully 
deployed to the rest of the world. 

Table 2 summarizes the general 
characteristics of these three structur- 
al IT elements, across the companies 
that we studied. 


Configuring the Global- 

Local Balance in the 

Structural Elements 

Although the four MNCs we studied 
are from different industries, they all 
had implemented similar structural 
elements of shared services, CoEs, 
and VMs. This observation suggests 
some convergence regarding the glob- 
al structuring of IT resources, as they 
all seek to simultaneously achieve 
global scale, while providing local re- 
sponsiveness and innovation. The ac- 
companying figure summarizes the 
model for structuring global IT that 
emerges from our study. 

However, multinationals still need 
to make trade-offs among these stra- 
tegic objectives. Managers seek these 
trade-offs by varying configuration of 
each structural element and distrib- 
uting resources among them. One of 
the most common trade-offs we ob- 
served was between achieving scale 
and responsiveness. Companies that 
sought greater scale tended to have 
a single global shared service unit. 
Underwood Financials, for example, 
has a single global shared service 
unit in Singapore that serves all busi- 
ness units worldwide over three work 
shifts. While first-line support was 
available 24x7, more sophisticated 
level 3 support was still centralized at 
headquarters. Responsiveness to com- 
plex problems that occurred in other 
time zones was therefore a challenge. 
At the time of this study, the head of 
shared services was lobbying for level 
3 support in the Asian time zone as 
well. Other MNCs traded off global 
scale for greater regional responsive- 
ness. Microsoft, for example, operates 


three regional shared services units, 
covering North America, Europe-Mid- 
dle East-Africa and Latin America, and 
Asia respectively. 

The configuration of CoEs also re- 
flected trade-offs between local and 
more global innovation. While most 
CoEs tend to be global because such 
specialized expertise is usually costly 
and in tight supply, companies vary 
in whether they choose to locate the 
CoEs at HQ, or abroad, or to create 
virtual CoEs that pool expertise virtu- 
ally across several geographies. Under- 
wood Financials’ application develop- 
ment CoE for its financial products 
resides with its business headquarters, 
which allows it to more tightly link its 
innovation activities to corporate strat- 
egy. P&G, on the other hand, has begun 
to experiment with locating some of its 
CoEs abroad, for example, its global 
mobile marketing CoE is in the Philip- 
pines. This is a response to the perva- 
siveness of mobile communications in 
Asia. Less commonly, MNCs attempt to 
achieve even greater responsiveness of 
local conditions by establishing CoEs 
at the regional level if there is signifi- 
cant disparity in institutional context, 
for example, having a separate region- 
al SAP Competency Center in China 
to address the different language and 
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its unique requirements. The trade-off 
is in the replication of resources, and 
greater coordination challenges of 
aligning local innovation with corpo- 
rate direction. 

MNCs, such as Underwood Fi- 
nancials that have prioritized scale 
through having a single global shared 
service center, and also global CoEs 
located at HQ, clearly are at risk of not 
responding adequately to legitimate 
regional or local concerns. In the case 
of Underwood Financials, they at- 
tempted to address this by creating a 
hierarchy of VMs. Within each region, 
there are VM roles at the intersection 
of product lines and region. For ex- 
ample, there would be VMs for bonds- 
Asia Pacific, bonds-Europe, and so 
on. These VMs had a matrix reporting 
structure to both the line of business, 
and to the regional CIOs. There were 
various forums that brought together 
VMs, with business and global IT ser- 
vices and CoEs, as a means to pro- 
mote coordination and communica- 
tion within this complex organization 
structure. Hence, while Underwood 
Financials reaped scale efficiencies 
from having global shared services 
and CoEs, it invested in its elaborate 
VM structure to be more responsive to 
local needs. 


A model for structuring global IT. 


IT Leadership 


IT governance 
design 


IT budget and portfolio 
management 


Centers 
of Excellence 


Shared 
Services 


Value 
Managers 
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Enterprise risk 
management 


Enterprise architecture 
planning 


COMMUNICATIONS OF THE ACM 63 


practice 


We found VMs play a critical role 
in ensuring the inherent tensions be- 
tween scale, responsiveness, and in- 
novation are played out constructively 
in each business and region. The se- 
lection and training of VMs, as well as 
ongoing support, is critical. For exam- 
ple, Intel actively grooms IT managers 
who can appreciate both the global 
and local perspectives. Intel selects 
high-potential local individuals, ex- 
poses them to various “extracurricular 
activities” such as IT cost reduction 
initiatives, and sends them on year- 
long postings in other roles. Intel also 
rotates some of its best people in oth- 
er parts of the world through manage- 
ment stints in Asia to encourage a bal- 
anced global-local view so that more 
informed trade-offs can be made. 

The VMs’ role in constantly medi- 
ating between local demands and cor- 
porate policy can be wearing. In some 
MNCs, VMs who thrived did so by de- 
veloping and drawing upon an infor- 
mal network that comprised contacts 
in the business, corporate IT, and other 


VMs. The ability to quickly access the 
right people in the network appeared to 
enhance their ability to find solutions 
to global-local problems. Underwood 
Financials’ various forums helped to 
develop such networks, as did Intel’s 
approach to rotating its managers. 
MNCs’ trade-offs between scale, in- 
novation, and responsiveness need to 
be made taking into account a com- 
plex mix of factors including: industry, 
size, desired levels of synergies, access 
to skilled people, and the roles of scale, 
innovation and responsiveness in the 
business model. Table 3 lists some of 
the questions we suggest CIOs consid- 
er in deciding the extent of scale, inno- 
vation, and responsiveness desired. 
Globalization is an opportunity for 
CIOs to demonstrate business leader- 
ship. Shared services, CoEs, and VMs 
are structural elements that CIOs are 
increasingly using to re-bundle tradi- 
tional IT resources to simultaneously 
deliver on scale, responsiveness, and 
innovation. We have observed that 
successful development of such IT 


Table 3. Discussion questions for the design of structural elements in global IT. 


Structural Elements 
IT Shared Services 


Discussion Questions 


What is the desired level of scale to be derived from IT shared services? 


Ts your product or service global or commoditized? Is there significant 
value added from local variations? 


What are the factors that contribute to scale in your industry (for example, 
common customers, processes, resource, or information)? 


What are the common IT applications and infrastructure services that 
can be bundled to be offered through shared services? 


How are cost shared across the firm (for example, chargeback by service, 
overhead absorption depending on size, and so on)? 


IT Centers 
of Excellence 


Do you need to coordinate IT enabled innovation? 


Are your company’s market offerings and competitive advantage driven 
by innovation in process, product, and/or technology? 


What are the strategic IT capabilities that can contribute to the future 


competitive advantage? 


What IT capabilities can benefit from regional or global pooling of expertise 


managerial capabilities can deliver 
significant competitive advantage. 
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IT Value Managers What is the desired level of IT responsiveness to local needs? 
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and meeting local IT needs? 
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Statistical Learning Methods 


Statistical learning comes in two versions: 
supervised and unsupervised. Unsupervised 
aims to elucidate patterns in unstructured 
(usually high-dimensional) data sets. Here, 
we exemplify unsupervised statistical 
learning methods with the mutagenetic trees 
model. Supervised methods use data sets 

of (usually high-dimensional) inputs x and 
associated (scalar or categorical) outputs 

y, to derive computational procedures 

for predicting (given a new input x») the 
associated output yo. Here, we exemplify 
supervised statistical learning through the 
support-vector-machine model. 

Mixtures of mutagenetic trees. A 
mutagenetic tree is a tree-shaped Bayesian 
model; two are included in Figure 6. The tree 
is rooted, and its root represents the viral 
wildtype, or the absence of mutation. Each 
other tree node represents a mutation. The 
edges of the tree are directed downward and 
labeled with conditional probabilities. Given 
the presence of all mutations along the path 
from the root of the tree to the source node 
of an edge, the label of the edge indicates 
the probability that the mutation at its target 
node takes place. 

In principle, a mutagenetic tree can be 
used to generate a set of viral variants by 
performing a random experiment based on 
the probabilities at the edges of the tree. We 
are not interested in explicitly performing 
such an experiment. Rather, given a set of viral 
variants (such as the subset of viral genotypes 
in our resistance database that has seena 
certain drug, like saquinavir) we are looking 
for the mutagenetic tree that generates that 
set with greatest probability (maximum 
likelihood model). This tree best represents 
the escape of the virus toward resistance 
against the drug saquinavir. 

Desper et al.* presented a method for 
finding a mutagenetic tree that is optimal 
under restricted circumstances and good 
(only) in the general case; the result is derived 
not in a viral context but in the context of 
cancer research. We extended the method 
to be able to generate several trees,‘ because 
viral escape paths do not usually submit to 
a single tree model, as reflected in Figure 6. 


protein gp120 to bind to surface pro- 
teins of the host cell. This binding 
event triggers a cascade of structural 
changes of the participating proteins 
that result in HIV entering the host 
cell. Once inside, HIV sheds its mo- 
lecular envelope and uses a special vi- 
ral protein—the reverse transcriptase 
(RT)—to copy its RNA genome to DNA. 
The DNA is then transported into the 
cell nucleus where it is spliced into 
the genome of the host cell with the 
help of a second viral protein—the 


integrase (IN). At this stage, the viral 
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Again, this method is heuristic; it does not 
find the best model but just a reasonably 
good model. Rather than labeling the edges 
of a mutagenetic tree with conditional 
probabilities, we can also annotate them with 
expected times for the relevant mutation to 
occur. Labeling affords a route to analyzing 
the times the virus takes to escape toward 
resistance.’ We use this model to assess 
therapy effectiveness. 

Classifying therapy success with 
support-vector machines. Different versions 
of THEO have used different multivariate 
statistical-learning methods to come up 
with accurate classifiers. Among them are 
logistic model trees“ and support-vector 
machines.’ Support-vector machines are a 
recent, popular method for classifying data 
that regards data as points in a (usually high- 
dimensional) Euclidean space. In our case, 
each data point represents a therapy change 
episode, or event where physicians assign a 
new therapy based on a viral genotype seen 
in a patient. Some therapy selections are 
successful, others are not. This dichotomy 
represents our binary classification problem. 
The question of what is a successful therapy 
and what is a failure, both medically and 
methodically, is beyond our scope here. 

A linear support-vector machine defines 
a hyperplane that best separates the set of 
points indicating therapy successes from 
the points indicating therapy failures. The 
hyperplane divides the Euclidean space into 
two half-spaces, one for therapy success, 
one for therapy failure. What is the “best” 
hyperplane (for minimizing risk of wrong 
predictions) is defined in terms of two criteria: 

Discriminating between therapy successes 
and failures. As few therapy data points as 
possible should be located “on the wrong 
side” of the hyperplane, that is, we do not want 
to see therapy failures in the half-space for the 
successes and vice versa. The further a point is 
in the wrong half or away from the hyperplane 
on the wrong side, the more it reduces the 
quality of the model; and 

Maximizing prediction reliability. The 
hyperplane should be as distant as possible 
from the closest correctly classified points. 


DNA is called a “provirus.” Once the 
cell begins to divide, as it does within 
an immune response, it manufactures 
all components of the virus. These 
components assemble near the cell 
surface, and a new still-immature vi- 
rion buds from the cell. In a final mat- 
uration step, strings of viral proteins 
in the immature virion (the so-called 
polyproteins) are cleaved to yield the 
functional viral proteins. This ren- 
ders the virion infectious. The protein 
performing the cleavage is the viral 


protease (PR). Each host cell is able | 


VOL. 53 | NO. 3 


ee eee Ne NI, NE RNS SOT OLR Rn See aN eae | 


Since the hyperplane represents the 
“decision boundary,” points lying close to 
it represent uncertain decisions, and small 
changes in the data or in the location of the 
hyperplane can reverse their classification. 

Quadratic programming techniques 
are used to find the optimal hyperplane 
according to these criteria. 

While we have taken state-of-the-art 
versions of support-vector machines 
developed by others, our main objective here 
is to define the Euclidean space to which we 
apply the support-vector machine. We must 
therefore address the following issues: 

Representing viral genotypes. Should 
we use binary indicator variables? Which 
mutations should we consider? Considering 
all possible mutations leads to a high- 
dimensional space and is thus infeasible; 
and 

Additional information for the 
method. The therapy we want to apply 
is a necessary input. Additional input 
includes predictions of resistance factors 
against single drugs, the probability that 
the virus will achieve resistance against a 
drug in a certain time interval (estimated 
via the mutagenetic trees), and previous 
antiretroviral drugs to which the patient 
was exposed. 

Addressing them is difficult, as we 
must balance the amount of information 
we present to the method against the 
available data. The more information we 
present, the more complex are the resulting 
models. However, we must find the best 
model on the basis of limited data. If 
models are too complex we incur the risk 
of overtraining the model. An overtrained 
model incorporates not only patterns 
pertaining to the phenomenon or process 
we want to analyze and whose results we 
want to predict (here viral resistance) but 
also idiosyncrasies of the particular data 
set on which we derived the model. Such 
idiosyncrasies do not generalize to future 
data. Thus an overtrained model suffers 
from reduced predictive power. We have 
performed several studies and reported our 
choices.1% 


to produce thousands of virions for a 
long period before inevitably dying. 


Drug Therapies Against HIV 

More than two dozen drugs against HIV 
are in clinical use; see http://www.fda. 
gov/oashi/aids/virals.html for the cur- 
rent list of U.S. Food and Drug Agency- 
approved anti-HIV drugs. All are small 
molecules that block (inhibit) the func- 
tion of a specific protein involved in 
the viral replication cycle, the so-called 
target protein. One way to block a pro- 
tein is to bind to it in a place that deacti- 
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Figure 1. Replication cycle of HIV, yellow dots: RT molecules, green dots: IN molecules, red dots: 


can be infectious for extended periods 
without their contacts knowing. For in- 
fected patients one problem involves 
the fact that the virus inserts its ge- 
nome into the genome of the infected 
cell. These people cannot be cleared 
of the virus. As we describe here, the 
virus evolves dynamically. Thus it is dif- 
ficult to produce vaccines against HIV, 
and no vaccine against HIV is in sight. 
Since there are major obstacles to cur- 


ing AIDS, the objectives of drug therapy | 


are to ease symptoms and delay prog- 
ress of the disease by suppressing viral 
replication. 

Since the virus continually changes 
in a patient, physicians are chasing a 
moving target. Given a particular drug 
therapy, the virus evolves toward resis- 
tance. The drug therapy then has to be 
changed to suppress what is now the 
prevalent viral variant in the patient. 
The underlying biological relation- 
ships between the viral genotype—the 
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particular genome sequence of the 
virus—and the viral resistance phe- 
notype—its ability to escape antiviral 
drugs—are complex and not well un- 
derstood. Therefore, drug therapies 
are selected not so much on the basis 
of understanding the underlying biol- 


ogy as they are on the basis of clinical | 


experience. 

Clinical experience in treating 
AIDS patients with antiviral drugs has 
been collected for the past 20 years 
and assembled in sizeable resistance 


databases. The complexity of the rela- | 


tionship between viral genotype and 
resistance phenotype suggests using 
statistical-learning methods to sup- 
port computational models for pre- 


dicting the resistance phenotype from | 
the viral genotype. For this purpose, | 


we have developed the Web server 
geno2pheno 


on the Web. 
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(http://www.geno2phe- | 
no.org), offering such analysis for free | 
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Replication Cycle of HIV 
HIV is not an autonomous organ- 
ism but rather an enveloped piece of 
genome, roughly 10,000 letters of ge- 
nomic text (bases) in protein packag- 
ing. This tiny genomic text (compared 
to three billion letters of the human 
genome) defines one of the most vi- 
cious biological killers. The structure 
of the HIV virus particle (virion) is 
known in detail.° 

As with all viruses, to replicate, HIV 
uses the cells it infects, usually those 
of the human immune system (such 
as T-lymphocytes). Knowledge of the 
replication cycle of HIV (see Figure 1) 
is the basis for all drug therapies in 
use today. The genome of HIV does 
not consist of DNA (as in humans) but 
of the close relative RNA that in hu- 
mans is used for translating genomic 
information and regulating cellular 
processes. The replication cycle of 
HIV begins with HIV using its surface 
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With no HIV vaccine in sight, virologists 
need to know how the virus will react to a 
given combination drug therapy. 


BY THOMAS LENGAUER, ANDRE ALTMANN, 
ALEXANDER THIELEN, AND ROLF KAISER 


Chasing 
the AIDS 
Virus 


THE MOST CHALLENGING problem for physicians 
treating AIDS patients with anti-HIV drugs is that 
the virus almost inevitably evolves toward resistance 
against any administered drug therapy. Once 
resistance is manifest, the physician must change 
the therapy regimen, which typically consists of a 
combination of anti-HIV drugs. Here, we describe 
bioinformatical methods supporting the choice of 
an effective follow-up therapy. Using underlying 
clinical-resistance databases and statistical-learning 
methods, we identify as-yet-undescribed resistance 
mutations, predict the level of resistance of a viral 
variant extracted from the blood of an AIDS patient 
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against anti-HIV drugs, and estimate 
the expected mutational path of the vi- 
rus toward resistance against specific 
combination drug therapies. This com- 
putational method enables us to rank 
possible therapies with respect to their 
expected effectiveness. We also offer 
a computational test for the expected 
effectiveness of a new drug capable of 
blocking viral cell entry. 

Our analyses, which are freely avail- 
able on the Internet via the server 
| http://www.geno2pheno.org, are used 
routinely for treating about two-thirds 
of AIDS patients in Germany. 

AIDS is a major scourge worldwide, 
causing millions of deaths annually. 
Whereas due to education and pre- 
ventive measures, the number of new 
| infections in the developed world is 
comparatively limited, other parts of 
the world (notably Sub-Saharan Africa) 
exhibit very high infection rates. The 
disease is on the rise globally.”° 

The AIDS pathogen—the Human 
Immunodeficiency Virus, or HIV— 
crossed over to humans from apes as 
recently as 100 years ago. The pathogen 
and its new host apparently have not 
yet adapted through co-evolution. Con- 
sequently, HIV is highly pathogenic in 
humans, unlike chimpanzees, which 
exhibit very high infection rates with 
| the Simian Immunodeficiency Virus, 
or SIV, without presenting debilitating 
symptoms. 

AIDS is especially lethal for a num- 
ber of reasons. For the human popula- 
tion, one danger involves the fact that 
symptoms develop slowly, so hosts 
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= Clinical databases can be mined to help 
generate statistical models that predict 
HIV’s viral resistance to administered 
drugs. 


@ These models incorporate interactions 
between drugs in combination with 
drug therapies, estimating future viral 
escape path toward resistance to 
an applied drug regimen. 


=@ By continually incorporating new 
clinical insights and drugs, the software 
tool helps support therapy decisions 
in clinical routines. 
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vates the protein, either by replacing its 
natural binding partner or by interfer- 
ing with essential protein movements. 
Target proteins can be viral or human. 
The classical target proteins are viral, 
namely RT and PR. Originally, viral pro- 
teins were preferred because one does 
not want to interfere with unknown 
functions of human target proteins. 
However, viral target proteins have the 
disadvantage that the virus can quickly 
change them through mutation and 
thus evolve toward drug resistance. 
More recently, human proteins have 
also been targeted by antiviral drugs. 


Toward Resistance 

If the virus were not so variable, one or 
two AIDS drugs would suffice. But the 
virus changes its genome with practi- 
cally every copy. The reason for such 
flexibility is that RT lacks a proofread- 
ing mechanism and does not repair 
copy errors. Mutations in the HIV 
genome can result in changes in the 
composition of its proteins. Most of 
these changes are detrimental or even 
lethal to the virus, but with many mil- 
lions to even billions of virus copies 
produced daily in the same patient, 
chances are high that a viral variant 
will arise quickly whose target protein 
remains functional even in the pres- 
ence of a drug. Such a virus is resistant 
to the drug. 

Suppressing viral replication means 
reducing the number of experiments 
the virus can perform to produce a re- 
sistant variant. In order to increase the 
barrier of the virus to escape toward 
resistance, several drugs targeting dif- 
ferent viral proteins are given simul- 
taneously. This scheme, called highly 
active antiretroviral therapy, or HAART, 
renders therapies effective for much 
longer periods of time. The virus always 
wins. Most current therapies remain ef- 
fective for only months to a few years. 


Antiviral Therapies 
Once the virus is resistant, the treat- 
ing physician must select a new drug 
therapy that effectively suppresses the 
present viral variant. The standard of 
care today is to use diagnostic tools for 
selecting a new therapy regimen. There 
are two fundamental approaches to- 
ward this goal: 

Phenotypic resistance testing. Phe- 
notypic resistance testing basically 


provides a lab test, essentially expos- 
ing the virus taken from a patient’s 
blood serum in cell culture to increas- 
ing drug concentrations and observ- 
ing quantitatively how quickly the rep- 
lication rate of the virus declines. The 
decline is compared with the decline 
of the replication rate of a nonresis- 
tant reference virus. The comparison 
yields a quantitative measure of viral 
resistance against individual drugs, 
the resistance factor. This measure is 
the drug concentration that cuts the 
replication rate of the patient’s virus 
in half divided by the drug concentra- 
tion that cuts the replication rate of 
the reference virus in half. Large resis- 
tance factors mean greater resistance. 

Phenotypic resistance testing meets 
with major obstacles when used in 
clinical practice, mainly because such 
testing is restricted to labs with high 


security levels and is thus difficult to | 
| derived from the underlying clinical 


standardize and not sufficiently acces- 
sible. Cost is another issue. 

Genotypic resistance testing. In con- 
trast, genotypic resistance testing de- 
termines the genomic sequences of 
the relevant parts of the viral genome 
taken from a patient’s blood serum. 
The relevant genome sequence can be 
obtained cheaply, quickly, and with 
standardized procedures by many lab- 
oratories. However, it is not easy to in- 
fer the resistance phenotype from the 
viral genotype. Virologists used to per- 
form this interpretation by hand with 
the help of a so-called mutation table; 
mutation tables are offered and con- 
tinually updated by such authorities as 
the International AIDS Society," col- 
lecting the global knowledge on mu- 
tations observed to cause resistance 
against specific drugs. Figure 2 is an 
excerpt from a mutation table cover- 
ing three protease inhibitors. The blue 
bar represents the protein sequence, 
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here the protease with 99 amino-acid 
positions. Numbers inside the blue 
bar indicate protein-sequence posi- 
tions. The amino acid of the reference 
virus at that position is given above the 
number. Resistance mutations at that 
position are indicated below the num- 
ber. Each row pertains to a single drug 
named to the left of the row. Mutations 
enter the table as a result of commit- 
tee consensus. More recently, the ta- 
bles have been turned into expert sys- 
tems that provide more complex rules. 
These systems can also express inter- 
actions between different mutations 
that result in resistance or susceptibil- 
ity of the virus to a given drug.”® 


Computational Biology 

One problem with mutation tables 
and expert systems is they are the re- 
sult of a consensus among human ex- 
perts, rather than being systematically 


data. This is where the contribution 
of computational biology comes in. If 
we can render the clinical resistance 
databases computer-readable, we can 


| apply statistical-learning methods to 


systematically derive estimates of the 
resistance phenotype from the viral 
genotype. We can also assess not only 
the level of resistance of the virus pres- 
ent in the patient but also estimate the 
path the virus will take toward resis- 
tance in the future if presented with a 
specific drug therapy, along with the 
time the virus will take to get there. 
Since 1988, we have been partners in 
a number of consortia collecting HIV- 
resistance data comprising viral geno- 
types, associated clinical markers (such 
as counts of virus and immune cells in 
the blood), and phenotypic-resistance 


| data where available. We did this na- 


tionally in Germany through the Are- 
vir database.’ In 2004, we co-founded 
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Figure 3. Decision tree for resistance 


against the AIDS drug saquinavir. 


a 


A 


the EuResist consortium, whose data- 


base is the result of integrating several | 


large resistance databases for all of Eu- 
rope.'® To our knowledge, the EuResist 
database is the largest HIV-resistance 
database worldwide, harboring data 
on just under 100,000 therapies for al- 
most 34,000 patients. Paired data on 
viral-mutations and clinical response 
to treatment is available for more than 
5,000 therapies. 

Identifying new resistance mutations. 
Given an HIV-resistance database, we 
use statistical methods to systemati- 
cally find resistance mutations. A re- 
sistance mutation is one, such that 
viruses resistant (against a given drug) 
are highly enriched among the viral 
variants with the mutation, unlike the 
ones without the mutation. The “in- 
formation content” a mutation har- 


bors on viral resistance against a given 


drug can be quantified in various ways, 
including mutual information and 
distance from the decision boundary 
in a discriminatory classifier. Using 


such methods, we have uncovered | 


new, that is, as-yet-undescribed resis- 
tance mutations.’ That study won a 
Best Presentation award at the Third 
European HIV Resistance Workshop, 
Athens, Greece, in 2005. This peer 
recognition reflects how much virolo- 
gists and clinicians are interested in 
approaches to identifying resistance 
mutations beyond the classical muta- 
tion tables. 

Resistance prediction based on com- 
plete viral genomes. The second class 
of models incorporates multivariate 
analysis to systematically deduce the 
kind of information offered less sys- 
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tematically by rule-based expert sys- 
tems. We have produced many such 
models, including classifiers (into 
the resistance classes resistant and 
susceptible) and regression models 
that estimate the numerical value of 
the resistance factor. All models are 
trained on the data available in our 
resistance databases, notably geno- 
type-phenotype pair data, that is, viral 
variants for which we have both the 
viral genotype and the resistance fac- 
tor. We employed decision trees® and 
random forests to determine the clas- 
sifications. For regression we found 
support-vector machines are most ef- 
fective. Our statistical-learning meth- 
ods are state-of-the-art and adapted 
to the respective problem; the sidebar 
“Statistical Learning Methods” out- 
lines two such methods: mutagenetic 
trees and support-vector machines. 
Modeling and feature selection are 
the focus of the effort. Appropriate 
statistical validation of the resulting 
models represents another major as- 
pect of our research. 

Figure 3 is a decision tree for the re- 
sistance of HIV against the PR inhibi- 
tor saquinavir. The branching nodes 
are labeled with amino-acid positions 
in the target protein PR. Terminal 
nodes are labeled with the classes “re- 
sistant” and “susceptible,” respective- 
ly. Edges leaving a node are labeled 


with amino acids found at these posi- 
tions. The amino acid of the reference 
virus (no mutation) is in red. The path 
leading from the root of the tree (top) 
to the blue arrow indicates a single 
mutation at position 54 from the ref- 
erence Isoleucine (I) to Valine (V). (All 
other edges along the path represent 
the reference virus.) The resulting vi- 
rus is resistant according to the model 
(red terminal node). However, if in 
position 72, there is also a mutation 
from the reference Isoleucine (I) to 
Valine (V) (red arrow), then the virus is 
susceptible (green terminal node) to 
treatment with the drug. Such resen- 
sitization events present interactions 
between different mutations and 
are derived systematically from the 
procedure of learning decision trees 
for drug resistance. Cross-validation 
helps us show that our decision trees 
make accurate predictions in approxi- 


| mately 90% of all cases. 


Our resistance models are the ba- 
sic service of the geno2pheno server. 


| Practicing physicians and laboratory 


virologists paste in the nucleic acid 
sequence of the relevant genes of the 
viral variant extracted from a patient’s 
blood. The analysis responds with the 
kind of output listed in Figure 4, where 
each row represents a drug. Column 
1 names the drug. Column 2 gives the 
estimated resistance factor. Column 3 


Figure 4. Sample output of geno2pheno resistance analysis. 
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Figure 5. Two favored mutational escape paths of HIV from the therapy with the 


RT inhibitor zidovudine. 


TAMI Path 


gives a normalized value reflecting the 
significance of the resistance value. 
Column 4 lists mutations found in the 
input sequence, red if they strengthen 
the resistance of the virus and green if 
they weaken it. The data in the figure 
points to strong resistance against 
many inhibitors of RT and therapy op- 
tions targeting PR. The Geno2pheno 
server is the basis for supporting treat- 
ment decisions in about two-thirds of 
HIV-infected patients treated in Ger- 
many.'’* This means at least 12,000 
decisions for treatment selection per 
year in Germany involve geno2pheno 
or its findings. 

Chasing the virus. This analysis 
treats each drug separately. Given the 
output in Figure 4, the physician as- 
sesses the resistance level of the vi- 
rus against each individual drug and 
manually composes the combination 
drug therapy that is (hopefully) effec- 
tive against the present virus. We also 
look into the future of the virus. Pre- 
sented with a given combination drug 
therapy, how will it react? What are its 
mutational escape paths and how long 
will the therapy stay effective? The vi- 
rus does not just randomly introduce 
mutations. Rather, it follows more- 
or-less established mutational escape 
paths; Figure 5 outlines two favored 
paths from a therapy with the single 
AIDS drug zidovudine (ZDV, AZT). (The 
notation is analogous to that of Figure 
3.) We denote with K70R the mutation 
of K to R in position 70 (of RT). Hence, 
one escape path is K70R followed by 
K219E/Q. 

The biological reasons for the vi- 
rus following these paths are not well 
understood. But the paths show up 
in a clinical HIV-resistance database. 
Finding them is simple if we have lon- 
gitudinal data. The data comprises se- 
quences of viral genotypes and clinical 


TAM2 Path 


parameters from the same patient over 
long periods of time. However, such 
data is difficult to come by. Our data- 
bases are dominated by cross-sectional 
data involving only a few or single data 
points for each patient. Nevertheless, 
we are still able to identify favored es- 
cape paths from cross-sectional data, 
as in Figure 5. 

A database of cross-sectional data 
on therapies with zidovudine will not 
contain many viruses having mutation 
M41L but not the mutation T215F/Y. 
This mutational pattern indicates the 
direction of the escape path. We have 
developed statistical models that pin- 
point the paths, so-called mixtures of 
mutagenetic trees, from the database’; 
Figure 6 outlines the trees derived 
from the database concerning zidovu- 
dine therapy. 

Figure 6 outlines a mixture model of 
two mutagenetic trees, the bottom one 
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expressing the two thymidine analogue 
mutations (TAM) escape paths and the 
top one (noise tree) expressing an un- 
structured escape to resistance. The 
mixture model indicates that 78% of 
the data is explained by the escape via 
the TAM paths; 22% can be viewed as 
noise. The sidebar explores mixtures 
of the mutagenetic trees model. 

The analysis of viral escape is avail- 
able on the geno2pheno server via the 
applet known as THEO (therapy opti- 
mization), which ranks all reasonable 
therapies by the probability of their 
staying effective for six months or lon- 
ger for the Web-server version of the 
software. The statistical method for 
doing this is discussed in the sidebar 
section on support-vector machines. 
Figure 7 outlines the results of THEO 
on the same data as in Figure 5. 

Training the model requires data 
encompassing the viral genotype, the 
drugs involved in the therapy, and clin- 
ical follow-up data on the effectiveness 
of the therapy. How to characterize a 
successful therapy is complex. We do 
not, for example, need the resistance 
factor to be input for each query. We 
can supply it through our computa- 
tional-resistance prediction method 
discussed earlier. Also, the expected 
future viral evolution can be estimated 
through mutagenetic trees. 

THEO, which has been validated 
extensively, improves the accuracy 


Figure 6. Two mutagenetic trees indicating the escape paths in Figure 5; “wild type” 
indicates the reference virus. 
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of therapy selection substantially’’; 
for example, approximately 24% of 
the therapy selections reported in the 
2006 version of our Arevir database 


turned out to be ineffective. Using | 


THEO could have helped reduce the 
error rate in selecting effective thera- 
pies below 15%, 

The EuResist project (http://www.eu- 
resists.org) adds two qualities to the re- 
search we discuss here: Data collection 


Success* 
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includes data from several European 
countries; and, on the EuResist predic- 
tion server, three independently devel- 
oped prediction engines are executed 
and return individual results and a con- 
sensus prediction." 


New Drugs 

Using sophisticated methods to ad- 
minister antiviral combination drug 
therapies does not obviate demand for 
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Figure 7. THEO applet. 
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Figure 8. Proteins participating in HIV cell entry (courtesy Pfizer). 
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continually developing new drugs. For 
an individual patient, administering 
a drug provokes resistance mutations 
that accumulate within the virus ge- 
nome. Eventually, only new drugs with 
new modes of action or even new tar- 
get proteins will deliver additional ef- 


| fective drug therapies. Moreover, AIDS 


drugs age as resistance mutations ac- 
cumulate in the global viral popula- 
tion, necessitating continuous devel- 
opment of new drugs. And clinical side 
effects enforce the development of 
new drugs with the same mode of ac- 
tion as existing “old” drugs. Such new 
drugs might replace the “old” drugs 
but might also provoke slightly differ- 
ent resistance mutations. 

Drugs targeting RT and PR were 
the basis of AIDS therapy until the 
early 2000s. Since 2003, drugs target- 
ing other proteins have come onto the 
market. Especially attractive targets 
for anti-HIV drugs are proteins facili- 
tating cell entry of HIV. Such targets 
are chosen because blocking viral cell 
entry helps prevent integration of the 
viral DNA into the cellular genome. 
To understand how we block viral cell 
entry we must look at the process of 
HIV entering the cell in more detail 
(see Figure 8). First, the viral surface 
protein gp120 binds to the cellular 
receptor protein CD4. This leads to a 
conformational change in gp120 so it 
can then bind to an additional cellular 
protein, the so-called co-receptor. The 
binding of gp120 to the cellular co- 
receptor triggers the actual viral cell 
entry, during which the helical (cork- 
screw-like) viral surface protein gp41 
penetrates the cellular membrane, 
and the hull of HIV fuses with the cel- 
lular membrane. HIV can use one of 
two cellular surface proteins—CCR5 
or CXCR4—as a co-receptor; some vi- 
ral strains use either. The co-receptor 
specificity of HIV is also called viral 
tropism. A virus using CCRS is called 
R5-virus. Analogously, a virus using 
CXCR4 is called X4-virus. A virus using 
either co-receptor is called dual-trop- 
ic, or R5/X4-virus. 

Viral tropism has important clinical 
consequences. For example, the initial 
infection results almost exclusively in 
an R5-virus population; we assume that 
X4-viruses may infect the patient but 
can be controlled initially by the im- 
mune system. Approximately 1% of the 


Caucasian population worldwide lacks 
a functional gene for CCR5, has no ap- 
parent symptoms, and is resistant to 
being infected by HIV. As the disease 
progresses, a virus using CXCR4 can 
become dominant. 

Targets for drugs that block cell en- 
try are the viral surface protein gp41 
and the cellular co-receptor CCR5. The 
latter is targeted by the drug Selzentry/ 
Celsentri, which contains the active 
substance maraviroc (developed by 
pharmaceutical manufacturer Pfizer). 
Regulatory agencies in Europe and the 
U.S. require viral tropism testing before 
administration of this drug. As with 
resistance analysis, there are again 
two options for a viral tropism test: 
One is a lab-based phenotypic test, the 
other a genotypic test with computer- 
based interpretation. The advantages 
and disadvantages of each are similar 
to those in resistance testing; for ex- 
ample, phenotypic tests are accurate 
but take a long time and are expensive 
and not always easily accessible. More- 
over, and in contrast to phenotypic 
resistance tests, phenotypic tropism 
tests provide only a classification into 


X4-capable or not-X4-capable and no | 


quantification of the risk of using the 
wrong co-receptor. 

The main problem with genotypic 
tests is the elucidation of the genotype- 
phenotype relationship. The geno2phe- 
no server offers a prediction for viral tro- 
pism from genotype. As with resistance 
analysis it is based on careful modeling 
of the input and on the development of 
a multivariate statistical model trained 
on genotype-phenotype pair data." In 
this instance, the phenotype is the vi- 
ral tropism, not the resistance against 
a drug, though the co-receptor switch 


can be viewed as a way for HIV to evade | 
drugs blocking CCR5. Three notable | 


advantages of this genotypic approach 
are lower costs, wider availability, and 
a quantification of the risk of using the 
CXCR4 co-receptor. 


Measuring the Viral Quasi-Species 

A problem with genotypic data that 
seems more relevant for predicting 
viral tropism than for predicting drug 
resistance is that the patient harbors 
not a single viral variant but rather a 
diverse viral population, or so-called 
quasi-species. Classical genotypic 
measurements reduce the quasi- 


Since there are 
major obstacles 
to curing AIDS, 
the objectives 
of drug therapy 
are to ease 
symptoms, 
suppress viral 
replication, and 
delay progress 
of the disease. 
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species to a single viral variant (the 
dominant one) or to a sequence con- 
sensus of a few frequent viral variants. 
However, minorities of X4-virus pres- 
ent in the viral quasi-species (but not 
detected by the genotypic test) can ac- 
cumulate in the patient under therapy 
with CCR5-blockers. Detecting such 
minorities may be clinically impor- 
tant, and phenotypic tests are able to 
detect them. To enable genotypic tests 
to also detect them, we use new deep 
sequencing technology called py- 
rosequencing" to generate data from 
which appropriate computational 


| procedures reconstruct (with great ac- 
_ curacy) the profile of the whole quasi- 


species. One of our current research 
activities targets predicting viral tro- 
pism and its clinical consequences 


| based on such data. 


| Outlook 


The work described here can now be ex- 
tended in several directions. For exam- 
ple, a multitude of questions pertain to 
the statistical-modeling procedure, in- 
cluding those involving the representa- 
tiveness of the clinical databases, how 
to improve prediction accuracy when 
sufficient training data is unavailable, 
and how to follow different notions of 
therapy success. 

More fundamental, the technology 
applies to other viral infections, the 
pathogens of which exhibit dynamic 
evolutionary development, a property 
shared by Hepatitis C (caused by HCV) 
and Hepatitis B (caused by HBV). In 
both cases, drug development and the 
collection of resistance data has not 
advanced as far as it has for HIV. We are 
involved in projects that collect such 
data, intending to transfer our technol- 
ogy to these diseases. We have gone be- 
yond infectious diseases and applied 
the mutagenetic-trees technology to 
assessing the status of tumor progres- 
sion in cancers from data on the evolu- 
tionary degeneration of the genomes 
of the related tumor cells."° 

Thus far, our analysis is based mostly 
on pattern matching with limited con- 
crete biology in the form of mechanis- 
tic models of the creation of the viral 
phenotype. Methods from experimen- 
tal virology and systems biology can be 
used to generate data that facilitates 


development of such models. Incorpo- 


rating them into the prediction of viral 
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resistance and therapy effectiveness | 
should increase the accuracy of the rel- 
evant prediction procedures and help 
further our understanding of how the 
viral phenotype develops. 

Finally, though not included in our 
present analysis, host factors, includ- 
ing a patient’s immunotype, also play 
a role in disease development and 
the effectiveness of drug therapy. For 
instance, it is under debate whether 
the immune system initially sup- 
presses the enrichment of preexisting 
X4-viruses in the viral quasi-species. 
If this is the case, solely detecting 
X4. minorities need not be clinically 
significant; such detection does not 
necessarily predict the breakthrough 
of the viral variants, as long as the im- 
mune system is intact. Indeed, we and 
others have observed that the risk of | 
X4-virus emerging rises with decreas- 
ing immune-cell count, reflecting the 
decreased intensity of the patient’s 
immune response. Such observations 
strongly encourage construction of a 
comprehensive model that includes 
information on all three players— 
pathogen, drug, and host. 
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Student participation and resulting expertise 
is as valuable as having the high-performance 
resource itself. 


| BY CAMERON SEAY AND GARY TUCKER 


Virtual 
Computing 
Initiative at 

a Small Public 
University 


1 Carolina 

ed August 2004, 

ehly scalable, high- 

t ce computing (HPC) resource providing on- 
| licati e/anytime had become 


The VCL allows platform-independent | learned, we now know that a much 
access to a variety of computing con- more affordable implementation is 
figurations without having to main- possible. Here, we offer a case study of 
tain each one separately. This is done a follow-on VCL pilot project at North 
through software images installed (on | Carolina Central University (NCCU), an 
demand by users) onto blade servers. | historically black college in Durham, 
The result is a highly scalable comput- | NC. But NCCU has less than a third the 
ing environment that allows users to number of students as NC State while 
use what they need when they need it. also being a liberal arts college (with 
The VCL was a groundbreaking a science focus), not an engineering 
project, in that it used entirely open | school like NC State. By leveraging NC 
source tools to dramatically increase | State expertise, we showed that such 
the accessibly of computing resources | technology is within reach of practi- 
for students, but the costs incurred are | cally any educational institution. 
beyond the means of most smaller uni- Virtualization is a key component of 
versities. However, in light of lessons | the way applications are deployed and 
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used today.’ Users are no longer tied to 
a particular locale or limited by a par- 
ticular workstation environment, and 
organizations are no longer limited to 
applications that use platforms com- 
mensurate with the expertise of their 
IT-support staffs. For example, profes- 
sors who need applications to run on 
Linux need not be concerned if their 
universities’ IT staffs include all autho- 
rized Linux administrators. Virtualiza- 
tion allows operating environments to 
be simulated in a way that does not re- 
quire in-house expertise in the environ- 
ment being used.* What is required are 


key insights | 


@ Though virtualization is not new, the VCL 
provides greater access to computer 
applications. 


@ The VCL is a sophisticated application 
that may be prohibitively expensive 
to install from scratch; NCCU is thus 
leveraging NC State’s expertise to 
develop a VCL project of its own. 


= Virtualization has great potential on 
mainframes, and the NCCU VCL pilot 
system aims to extend itself toa 
mainframe platform. 


@ The VCL can be deployed by institutions 
of any size. 
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users who know the applications they'll 
be using and their proper configura- | 


| tions. The VCL project at NC State is 


a large-scale, publicly accessible ex- 
ample of a virtualization application 
in education,’ providing transparent 
access to dozens of applications used 
by students and their professors in vir- 
tually every discipline in the university. 
It has dramatically altered the way stu- 
dents and faculty access the school’s 
computer resources. 

Founded in 1910, NCCU today has 
an enrollment of approximately 8,500 
students. As a liberal arts school witha 
science focus, it includes the Biomanu- 
facturing Research Institute and Tech- 
nology Enterprise and the Biomedical 
and Biotechnology Research Institute 
and so has an ongoing need to manage 
diverse computing environments to 
support their various research projects. 
The VCL project represented a good 
model for addressing NCCU comput- 
ing needs. 

We attended a fall 2004 technology 
conference in Research Triangle Park, 
NC, where virtualization was covered. 
Researchers from NC State and Duke 
University described a project that al- 
lowed an infrastructure built on a Li- 
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| nux, Apache, PHP, MySQL (or LAMP) 
software base installed on blade servers 
| to host multiple research projects on 
different platforms. For example, if one 
faculty member had a project requiring 
a Windows-based server and another 
had a project requiring a Solaris-based 
server, both projects could be hosted 
on the same infrastructure through 
virtualization of the respective operat- 
ing systems. While not newcomers to 
virtualization, we were nonetheless im- 
pressed by how blade servers added a 
higher level of scalability. We began to 
seek out relationships with researchers 
and major technology companies in 
the Research Triangle Park area to de- 
termine how NCCU might get involved 
in the flow of this innovation. 
Over the next two years we received 
a series of hardware grants and cash 
awards that allowed NCCU to build a 
simple blade-server infrastructure suit- 
able for a virtualization project. We 
were introduced to the VCL project in 
the College of Engineering at NC State 
where blade servers and virtualization, 
as well as stored images containing 
software components, were installed 
directly on the blades. Strictly speak- 
ing, using a full image on a blade is not 
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“virtualization” per se, but the “virtual” 
designation fits in that users access the 
application remotely, not on their local 
computers. The project’s most notable 
innovation was software-driven man- 
agement logic that provides resources 
as needed and allows unused resources 
to be used for HPC applications, includ- 
ing molecular analysis. Students could 
use any Web browser with access to ad- 
equate bandwidth (at least 125kbs) to 
connect to dozens of desktop applica- 
tions anywhere/anytime. 

We intended to deploy this innova- 
tion at NCCU using blade servers— 
ultra-thin computers with multiple 
high-end processors—in a highly flex- 
ible “one-stop-shop” infrastructure 
to provide the same service to our stu- 
dents and faculty. With the two major 
biotechnology centers at NCCU, along 
with the university’s focus on scien- 
tific computing, we felt the NC State 


approach would also be appropriate | 


for NCCU—use the blades to run vir- 
tualized applications when needed but 
apply all idle processing time to long- 
running, processor-intensive scientific 
applications. 

The goal was a scalable, reliable in- 
frastructure for both virtualization and 
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| HPC applications. Toward this end, we 


began by purchasing nine blade serv- 
ers. In fall 2005, we received a hardware 
grant from IBM (www.ibm.com/univer- 
sity) providing $84,000 for hardware, 
though nothing for software or support. 
Most was apportioned to the infrastruc- 
ture to support the blades, leaving little 
for the blades themselves. For example, 
the rack required to host the chassis for 
the blades cost $2,649. The network 
switch for the blades cost $10,000. 
The monitor, keyboard, and video and 
monitor connector cost $2,245. After 
we ordered these foundational pieces, 
there was funding enough for nine ini- 
tial blades. We chose IBM HS20 Xeon 


blade servers with 4GB of RAM and | 


two 3.8GHz processors per server. Each 
server also had two 36GB mirrored 
hard drives. The cost per blade, with ex- 
tra processor, memory, and hard drive, 
was approximately $6,106. 

One technical lesson we learned 
quick was there really is no need to mir- 
ror the hard drives in the blade serv- 
ers when using them for virtualization 
and that it is better to spend our grant 
money on a faster processor and more 
memory. The failure rate of the IBM 
blade servers was low, and if students 
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were backing up their work to perma- 
nent storage (as we advised them to 
do), the unlikely event of a drive failure 
would be only an annoyance, while the 
students secured another session and 
resumed their work. No drive failure 
during any session has been reported 
by NCCU users. 

In 2006, we were awarded a second 
grant from IBM for the same amount. 
This time we were able to spend more 
of the grant money on blade servers. 
Having learned we did not have to mir- 
ror the hard drives, we were able to pur- 
chase higher-end blade servers at lower 
cost. This time, we chose 14 IBM HS21 
blade servers (a later model from the 
previous year) with 72GB hard drives, 
two 3.8GHz processors, and 4GB of 
memory. We then had a total of 23 
blades in the two chassis. 

Staff from NC State and NCCU In- 
formation Technology Services (ITS) 


| assisted in the installation of the initial 


blades. Our intention was to adhere to 


the NC State LAMP standard as closely 


as possible, the rationale being that we 
wanted to leverage the existing knowl- 
edge base, deviating from the standards 
only when absolutely necessary. How- 
ever, circumstances prevented rigid 
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Figure 1, NC State VCL infrastructure. 
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adherence to the NC State installation _ 
model. The standard operating system | 
(OS) NC State used was the Red Hat En- | 
terprise License (RHEL) distribution of | 
Linux. While the State of North Caroli- | 
na has a licensing agreement with Red 
Hat to use RHEL, we could not get clar- 
ity as to how we might properly use the | 
license for our installation. We decided 
on SuSE 10.1 (available for free at the | 
time) as our OS because one of the con- 
sultants working with us was familiar 
with it, and in our judgment Red Hat 
Fedora (another free distribution) was 
not appropriate for our purposes. 

As a physical location for the equip-_ 
ment, we chose a data center in Re- 
search Triangle Park that already | 
housed many North Carolina Univer- 
sity system projects, including much of 
the VCL infrastructure. Though the de- 
cision had not been formalized at the 
time of our 2006 installation, we knew 
the data center had sufficient power, 
cooling, and bandwidth, and its staff 
was familiar with the equipment the 
NCCU team would be using. The ini- 
tial cost for housing the blade center, 
including power and bandwidth, was 
approximately $600/month, which we 
considered reasonable. 

The project’s driving theme was the 
use of existing expertise to extend both 
the VCL footprint and NCCU’s comput- 
ing capability. We knew that virtualiza- 
tion per se is a Somewhat mature tech- 
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nology we had not previously tapped 
due to the limits of NCCU staffing and 
expertise. Our collaboration with tech- 
nology companies (one of which, IBM, 
provided the hardware grant), the data 
center (which hosted the project as 
funding was worked out and provided 
unpaid assistance), and other univer- 
sities in the area (an endless supply of 
innovation and expertise) is as much 
the story here as the technology of vir- 
tualization. The model we used thus 
represents a template for a bare-bones 
venture into virtualization technology 
by institutions otherwise lacking the 
resources to do so. This will prove in- 
valuable for those in remote areas, like 
rural school districts, and those with 


limited financial resources, like many | 


in North Carolina today. 


The NC State VCL uses blade servers | 


for hardware and a LAMP open source 
environment for software. Red Hat En- 
terprise License is the core OS, though 
we also still use SuSE 10.1. We emu- 
lated this environment due to its sta- 
bility, flexibility, and scalability—char- 
acteristics of an infrastructure suited 
to our purposes. Our resources were 
limited; we initially (in 2005) lacked 
funding other than what we received to 
purchase hardware. But one VCL merit 
is a system built (basically) with open 
source software. Meanwhile, the LAMP 
environment has proved itself robust 
enough for even the most demanding 
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use in terms of number of users, ap- 
plication size, hours of operation, and 
performance. 

Figure 1 outlines the hardware used 


to deploy the VCL. Applications are de- 


ployed using either full images of the 
application (including OS and periph- 
eral files) installed directly on an empty 
blade or virtual machines via VMware. 
These images are stored in an image 
library until the scheduler calls them 
to be loaded. The scheduler, consisting 
of code written in PERL and PHP, com- 


| municates with the MySQL instance 


containing the data for the system. The 
entire infrastructure sits on racks of 
blade servers maintained at a central 
location in Research Triangle Park; 
some parts are in NC State’s facility in 
Raleigh, NC, but over the next few years 


_ all VCL equipment is expected to be 


located in the Research Triangle Park 


_ facility. 


Users access the VCL from their per- 
sonal locations, whether school, lab, 
home, or during travel. What they need 
is some form of broadband connection 
(as little as 128kbs is sufficient, though 
at least 256kbs is recommended), a 


| computer with TCP/IP (properly config- 


ured), and a Web browser. The VCL uses 
student and faculty institutional email 
for authentication, an approach that 
facilitates the VCL’s extensibility. Us- 
ers external to NC State do not need to 
maintain separate VCL authentication 
identities, selecting whatever identity 
they normally use to get onto their own 
organizations’ networks. Users authen- 
ticating to the VCL see a screen like the 
one in Figure 2. 

From that initial screen the users 
select the application (image) they 
want to use, the time they want to use 
it, and the duration of their session. 
When using applications, they select a 
remote-access client (varying by OS) to 
attach to and use the image as if it were 
their regular desktop. Performance is 
excellent; only changes to the desktop 
screen traverse the network, with all 
processing occurring on the blades or 
on whatever high-end hardware hous- 
es the VCL not otherwise married to.a 
blade configuration. 

The NC State implementation is ro- 
bust and stable, but building a similar 
application from scratch would be pro- 
hibitively expensive for smaller institu- 
tions. What emerged is a methodology 


that allows any institution, irrespective 


of size, to use the system. At present, | 


NCCU is able to use it in day-to-day 
functions, somewhat separate from 
the NC State VCL team. While support 
from NC State is still required, it de- 
creases with the passing semesters. As 
the pilot project expands and is viewed 
as successful, the NCCU goal is to be 
completely autonomous in terms of 
hardware, software, and maintenance, 
though such autonomy is not strictly 
necessary. Whether an_ institution 
wants to run its own part of the VCL or 
have it run by NC State varies by insti- 
tutional mission. For NCCU, having its 
technology students fully understand 
the VCL is almost as important as the 
value it gets from using the tool itself; 
on the other hand, a middle-school 


English class might need access only to | 


word processing software. Having the 
mission of each institution drive the 
configuration of the tool highlights the 
VCL’s flexibility and fitness as an edu- 
cational resource. 

The evolving VCL model involves a 
loose confederation of user organiza- 
tions consisting of several colleges and 
community colleges in the University of 
North Carolina system. Some purchase 
their own blades, deploying them in 
racks in the data center housing VCL 
equipment; some use the existing 
equipment and just add users to infra- 
structure already deployed. A statewide 
VCL network will eventually include 
K-12 school systems in North Carolina, 
nonprofit corporations, and other or- 
ganizations in need of the functionality 
the VCL provides but lacking the means 
and expertise to deploy themselves. 

NCCU has partnered with two high 
schools that exemplify the VCL’s eclec- 
tic nature; one is interested in the VCL 
primarily asa tool for teaching network- 
ing concepts, the other more in the easy 
access to the software it provides. Both 
serve predominantly African-American 
student populations that would benefit 
tremendously from being exposed to 
VCL innovation. 

What about licensing? On the sur- 
face it might seem that licensing would 
add considerable complexity to VCL 
deployment. However, none of the VCL 
partners have found this to be the case. 
All that is required of any institution 
is a clear understanding with the soft- 
ware vendor that access to its products 


conforms to the agreed-upon license; 
access logs provide ready confirmation 
that the terms of the license have been 
followed. For certain products (such 
as widely used statistical software), we 
meet with the vendor to establish the 
processes it finds acceptable for access- 
ing its product. For individual licenses, 
VCL staff maps users to software per 
the product’s license agreement. While 
some up-front organization is required, 
licensing is not a major hurdle. 

What about VCL bandwidth require- 
ments? Because users access software 


remotely (the application is not on the | 


user’s local system), use of bandwidth 
does increase somewhat. Programs 
that are graphically intensive (such as 
engineering design) send more pack- 
ets than less graphically intensive pro- 
grams (such as word processing). How- 
ever, during NCCU pilot development 
we found neither performance degra- 
dation on NCCU’s network nor severe 
performance issues on graphically in- 
tensive programs (such as AutoCAD). 
The local high schools use Alice, a 3D 
programming environment that uses 
graphics extensively; its performance 
via the VCL is more than acceptable. 
A more challenging test, perhaps, is a 
more graphically intensive business 
simulation, like IBM’s business-pro- 
cess simulation Innov8 (http://www-01. 
ibm.com/software/solutions/soa/in- 
nov8/index.html). Because it requires 
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high-end graphics capability on the 
monitor (a problem not directly related 
to the VCL), we have been unable to 
test its effect on the VCL environment 
because the graphics cards in our lab 
machines don’t support the required 
graphics. We’re eager to see how the 
VCL handles such applications when 
the monitors on those machines are 
upgraded to render graphics for pro- 
grams like Innovs. 

Discussions among faculty and ad- 
ministrators at both NCCU and NC 
State, along with the local technology 
companies funding project hardware 
and the NCCU data center staff were 
necessary for planning how to use the 
VCL at NCCU. All the administrators 
seemed to understand and recognize 
the value of the project, giving it their 
full support. Such support is vital to 
any technology project. An early ques- 
tion involved who would pay to house 
the equipment. The funding grant 
NCCU received for the project was lim- 
ited to hardware. Ultimately, the NCCU 
School of Business (with permission of 
its Dean) absorbed the initial housing 
costs for the equipment. 

We installed SuSE 10.1 on the first 
nine blades in early 2006. That spring 
we began to poll the NCCU community 
about what applications it used that 
might be deployed on our blades. The 
first was Web MO, achemistry program 
for molecular analysis, complementing 
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Figure 2. VCL user interface. 
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our plan to use the processing power of 
the blades to run scientific programs 
when not used for virtualization. A 


blade was dedicated to classes in both | 


the NCCU School of Business and 
School of Library and Information Sci- 
ence. Classes using these blades were 
graduate database classes (Library and 
Information Science), programming 
and database classes (School of Busi- 
ness), and Web development (School of 
Business). The entire university could 
access the resource without interfer- 
ing with the production infrastructure 
managed by NCCU ITS. These parts of 
the project were completed in summer 
2006. 

Beginning fall 2006, the NC State 
VCL team began making presentations 
to faculty and staff beyond the NC State 
campus, explaining the promise of the 
VCL. The NCCU Provost attended one 
and gave the project her full support. 
NCCU administrators determined that 
a formal VCL pilot project was warrant- 
ed for roll-out in fall 2007. This includ- 
ed NCCU’s willingness to pay the cost 
of housing its blade center. We cannot 


stress enough how important it was for | 


this to be perceived as an NCCU-wide 
project not restricted to NCCU’s School 
of Business. The greater the VCL foot- 
print, meaning the larger the number 
of users, the greater would be the value 
to the entire university. 

Once the CIO, Provost, and Dean of 
the School of Business were in agree- 
ment that NCCU would develop the 
VCL, members of the NCCU VCL team 
(now NCCU ITS) were assigned to iden- 
tify the applications the VCL would 
support. So we asked NCCU faculty 
what applications they felt would pro- 


vide the greatest initial benefit. The | 


consensus was the statistical package 
SAS. One reason for this choice was 
that the more popular standalone ver- 
sion of the package had to be installed 
on every workstation that uses it. Since 
the application is updated regularly, 
manually updating every workstation 
is prohibitively labor-intensive, in spite 
of imaging software. If the application 


could be accessed centrally, this would | 


produce a considerable cost saving in 
terms of labor. In addition, students 
in classes requiring SAS usually come 
to campus to do their assignments be- 


cause the software is too expensive for | 


them to purchase on their own, and the 
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centrally through a 


SAS academic license requires it be in- 


| stalled only on NCCU computers. The 


VCL would allow them to access the 
software remotely. 

The CIOs of NC State and NCCU met 
with SAS management to determine 
how SAS could be accessed through the 
VCL. SAS agreed to allow faculty and 
students at NCCU, NC State, and other 
affiliated users who follow all require- 
ments of the SAS licensing agreements 
to access the product through the VCL. 

Now the problem was how to let 
NCCU users actually aaccess it. The 
NCCU team lacked the expertise to 
manage the system’s scheduling of 
images and virtual machines but did 
not want to add to NC State’s admin- 
istrative burden by having to routinely 
manage NCCU users. The VCL teams 
at NC State and NCCU agreed that the 
NC State infrastructure would serve as 
a base for other organizations so the 
scheduling and management logic of 
the NC State VCL engine would serve 
additional participants. As resources 
were acquired and added to the infra- 
structure (to be centrally located in the 
Research Triangle Park data center), 
for the time being, management logic 
would still be centralized. As the VCL 
code base was made portable (not the 


_ case initially), other entities would be 


able to use the code to manage their 


own parts of the infrastructure. The 


blade configuration was such that all 
chassis added to it could be managed 
“management 
module” on each rack, an approach 
providing maximum extensibility. 
Another positive development was 
IBM awarding an additional hardware 


| grant to NCCU in fall 2006. As we had 


already purchased much of the infra- 
structure to house additional blades, 
we used the new grant to purchase 
14 more blades. This time, we chose 
Centos 5 as the OS. Though the RHEL 
license issue was still not resolved, the 
Centos design is very much like RHEL, 
and we felt this would help move NCCU 
toward a standard configuration. 

One thing apparent early in this pro- 


| cess was that a facilitator, or person 


| with direct interest in VCL adoption, 


is essential. While necessary, academ- 
ic departments, administrators, and 
technical managers “getting it” is not 
sufficient. The project repeatedly ran 
into obstacles that would have been fa- 


tal without the required commitments. 


Evenan executive championisnotsuffi- | 
cient. A facilitator must be able to build | 


communication channels, provide or 


find expertise, help the organization 
with funding, and act as handholder/ 
cheerleader as the organization grows 
into the VCL. 

One reason the facilitator is so es- 
sential is that almost invariably several 
entities are involved. The VCL is not 
an application whose value is best de- 
rived through its use in one or two de- 
partments. The VCL’s greatest value is 
when an entire institution, across func- 
tional units and academic disciplines, 
uses it to seamlessly access computing 
resources. 


The facilitator (like champions in | 


other technology projects) must pres- 


ent the idea to both administrators and | 


technical people as something desir- 
able, as well as doable. The technology 
itself is not daunting to most IT shops; 
virtualization is not new. But to the staff 


it could be seen as extra work. The fa- | 


cilitator must address this perception, 
making it clear that the VCL means less 
work, not more. 

It’s entirely possible that convinc- 
ing a university’s president, provost, 
and/or CIO is not sufficient; there may 
be resistance from department heads 
and technical leads who see the VCL as 
problematic. The facilitator can iden- 
tify and help articulate the most im- 
portant value-adds; one is that the VCL 
flattens the hardware landscape so dif- 
ferent labs access the same application 
on the same platform, for the most part 
irrespective of the configuration of the 
workstation accessing the VCL. 


In larger organizations, the facili- 


tator convincing a dean to try the VCL | 
may indeed be able to marshal the nec- | 


essary resources but must still ensure 
all parties follow through; in this con- 
text the facilitator is more like a project 
manager. For smaller organizations, 
however, the facilitator may do every- 
thing, from moving the organization’s 
mail identities into a Lightweight Di- 
rectory Access Protocol structure to 
finding funds to purchase software, to 
creating the images to be used through 
the VCL. 

By fall 2009, the NCCU VCL pilot 
had been in effect two full academic 
years, serving several targeted areas of 


the university. The heaviest users were | 


from the following programs: Comput- | 


er Information Systems (CIS), Decision 


Science, Marketing, and Hospitality | 


and Tourism, and the School of Library 


_ and Information Science. In addition, 


special licensing was arranged for a lo- 
cal high school to access an application 
via NCCU’s license with the applica- 
tion’s publisher. 


While the duration of the pilot was | 


never specified, we (the authors) were 


comfortable that it is now ready to | 


put into production. However, a delay 
was encountered (a change of CIO at 
NCCU), and such a campuswide proj- 
ect cannot be accomplished until a new 


CIO is in place. We do not know when | 


this will occur. 


to December 31, 2009 a total of 11,529 


contributed articles 


CUs: Morgan State University in Balti- 
more, MD, and NC A&T State University 
in Greensboro, NC (both engineering 
schools). Southern University in Baton 
Rouge, LA, also an engineering school, 
recently received funding to begin its 
own VCL project. The NCCU VCL team 
is in discussion with the Southern VCL 
team to help facilitate the project. 
Comments from faculty and stu- 
dents reflect the ease of VCL access. In 
each semester of the pilot, NCCU fac- 
ulty used VCL for undergraduate and 
graduate classes requiring SAS soft- 
ware, mostly by students with no fa- 
miliarity with the software; more than 
300 participated. The related faculty 


| had all taught SAS-related courses for 
Meanwhile, from September 1, 2007 | 


reservations were submitted to use the | 
VCL; total usage time ofall applications | 


was 14,645 hours, with 947 unique us- 
ers. The most popular images/virtual 
machines were courseware for a CIS 
course (2,488 reservations, 328 unique 
users during the pilot project); SAS 


| (1,657 reservations, 191 unique users); 


an Alice image at Hillside High School 
(1,174 reservations, 109 unique users); 
an Office 2007 image at Hillside High 
School (1,082 reservations, 86 unique 
users); an image of the statistical pack- 
age SPSS (771 reservations, 99 unique 
users); and tools to access a mainframe 
for a course in mainframe technology 
(893 reservations, 34 unique users). 
This usage profile shows that if the 
requested applications are provided 
through the VCL, users will use them. 
The NCCU VCL pilot project opened a 
new realm for virtual access to appli- 
cations. NCCU is not an engineering 
school with layers of technology exper- 
tise. Ithas a highly competent but small 
ITS staff (in many ways the reason for 
the project’s success). Most of our ex- 
pertise extended from NC State, which 
has shared lessons learned with us. 
Our (the authors) role in the pi- 
lot project has been to put the right 
people in the right places at the right 


time. Through the business model that | 


emerged from this process, we hope to 
bring other organizations into the VCL 
family. 

Historically black colleges and uni- 
versities, both public and private, can 
benefit from this model. We are in dis- 
cussion with two larger technical HB- 
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years, so the content was familiar. The 
undergraduate students were, for the 
most part, newcomers to SAS. Most of 
the graduate students had some experi- 
ence, but none could be considered an 
expert. 

Each semester of the pilot project 
we’ve regularly asked all related pro- 
fessors whether their students report- 
ed difficulty accessing SAS software 
through the VCL. Other than ensuring 
students use the correct credentials 


| to log into the system (NCCU student 


identities), we’ve received no reports of 
difficulty accessing the software when 
off campus. Moreover, none of the stu- 
dents with whom we spoke reported 
any difficulty accessing the software 
remotely, once they logged into the sys- 
tem once or twice. 

Several students functioned as unof- 
ficial technical support for the software 


| (more for SAS than for the VCL), greatly 
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enhancing the experience of their less- 


| proficient counterparts, at least ac- 
| cording to the students with whom we 


spoke. These impromptu experts eased 
the novelty for novices logging in for the 
first time. One graduate student whose 
home was adjacent to campus served 
as a sort of coordinator for graduate 
novices logging in for the first time. 
NCCU has benefited from the fact 
that the VCL makes complicated instal- 
lations less burdensome when done 
concurrently in labs with dissimilar 
hardware configurations. NCCU ITS 
uses a set number of master images 
to deploy OSs and software applica- 
tions to the labs. While the images 
are designed for lab heterogeneity, 
any application outside the existing 
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configurations could cause problems 
for ITS staff. An example is an applica- 
tion the CIS Department uses to teach 


| students office-productivity software. 


Though not complicated to install, it 


is beyond the scope of the NCCU ITS | 


| standard image and involves ITS man- 
| agers assigning staff to install it. The 


solution was to have CIS faculty using 
the application create an image, then 
have the students access it. The soft- 
ware publisher sees no violation of its 


_ license agreement, and NCCU ITS does 


not assign support staff to install and 
maintain the package. While this is a 
rather pedestrian example, it nonethe- 
less caused considerable frustration on 
the part of both the CIS faculty and the 
NCCUITS staff. 

Because the NCCU VCL pilot project 
could count on NC State’s extensive ex- 
pertise and resources, we had little con- 
cern that the pilot project’s workload 


| would overwhelm our blades. Because 


we deployed both virtual machines and 
“bare metal” images (loaded directly 
onto the blade servers), we addressed 


any limitation in our resources through | 


NC State’s much more robust infra- 


| structure. NC State had been the recipi- 


ent of both cash grants and hardware 
donations to support an environment 
with hundreds of blade servers. 
Because we used NC State’s node- 
management software, it was a small 
matter to direct users to available re- 
sources; we have no record of a user 
lacking available resources to use an 
image. We calculated that if we could 
dedicate all 14 blades, we could also 
support four virtual machines per 
blade, for a total of 56 concurrent us- 
ers; most of the applications are not 
computationally intensive, 
were able to distribute computationally 
intensive applications, like SAS, across 
several blades to balance demand on 
the processor. At no time did demand 
from the pilot approach this require- 
ment. Our focus was not so much on 
maximum utilization of resources 
(though with virtualization this goal is 
a given) as it was on determining the 
level, quality, and type of service that 


| would be required for faculty and staff 
_ to use the infrastructure. 


We planned to address demand in 
several ways: 

> Use the large donation of proces- 
sors and cash to NC State by IBM and 


VOL. 53 NO. 3 


and we | 


Intel to provide enough resources so 
the entire 16-campus University of 
North Carolina system could use the 


| VCL the same way NCCU and NC State 


use it; 

>» Provide autonomy to NCCU and 
not strain the NC State staff for exper- 
tise, limiting the pilot until funding 
was available; and 

> Porting the VCL to IBM’s system 
z platform, running it on zLinux. Sev- 
eral companies have offered to support 
such an effort, but how to run Windows 
applications smoothly on the z/OS plat- 
form is not fully resolved. 

It appears that the first approach 
is the most likely near-term solution 
because much of the cost of a mega- 
blade center would be spread across 
the entire University of North Carolina 
system, covering power, hardware, and 
staff. 

Of considerable interest to many ed- 
ucators is the possibility of also bring- 
ing K-12 organizations into the VCL.* 
The application is ideal for technologi- 
cally and financially limited schools 
serving lower-income students.° NCCU 
is involved with two high schools in the 
Research Triangle Park area, one using 
the VCL, the other expecting to by fall 
2010. These schools will be an excellent 


_ test case, further demonstrating the 
_ VCL’s ability to flatten the technology 


playing field. 

Another compelling VCL develop- 
ment is the possibility of porting some 
functionality to a mainframe environ- 
ment. Virtualization technology had an 
early home there, beginning 40 years 
ago with the need to replicate a devel- 
opment environment without having 
to add separate, prohibitively expen- 
sive machines. IBM’s zVM OS was an 
early answer to this demand. With the 
advent of sophisticated partitioning 
technologies in the 1980s, zVM became 
much less essential, and the technol- 
ogy was almost retired; x86-based virtu- 
alization then gave zVM new life. IBM 
claims its z10 processor (announced 
in February 2008) can lower the cost of 
energy by 85% compared to x86 proces- 
sors doing the same work.’ While only 
the Linux/Unix-based applications are 
candidates for migration from the VCL 
to mainframes (due to instruction-set 
compatibility issues between zOS and 
Windows). Even if only the Linux/Unix 
VCL applications are run on the z10, it 


will be interesting to see if such impres- 
sive cost savings can be realized. 


Conclusion 

The NCCU VCL pilot is an extension 
of the VCL project begun at NC State 
and owes full attribution to the NC 
State team for its innovative work. But 
as users of the VCL, we aim to drive it 
to places where it might not go of its 
own accord. The VCL began at a public 
university; implicit in such work is the 
ethical obligation to allow the public to 
avail itself of its benefit, with the con- 
sent of its creators at NC State. Exten- 
sions of the VCL, including the NCCU 
pilot, are themselves innovations, be- 
cause what is needed (once the science 
and engineering issues are addressed) 
is a replicable business model. The 


VCL has now been extended to NCCU, 


a relatively small public university, a 
significant accomplishment available 
to other organizations without large 
technology staffs. 

VCL mainframe implications are 


significant. The VCL runs well on a | 


distributed platform. All reports of 
performance and reliability in the cur- 
rent blade environment are positive. 
But virtualization has been part of the 
mainframe domain (such as IBM’s 
zVM) for decades. That it works is an 


understatement. To be able to have | 


hundreds, even thousands, of virtual 
servers running on a mainframe with 
accompanying dramatic reduction in 
power demand is a development we are 
eager to see. 


The VCL project is important to vir- | 


tualization technology in education for 
four main reasons: 

> Though it began in the College of 
Engineering at NC State, and NC State 
provides most of the technical direc- 
tion, the project is developing an in- 
creasingly eclectic profile. Participants 
are able to apply innovation to the hard- 


ware and software infrastructure and | 


still enjoy the benefits of being part of 
the VCL environment. For example, ifa 
high school wants to use a homegrown 
virtualization solution (perhaps for in- 
structional purposes) and didn’t use 
the VCL per se, accommodations could 
be made for it to use VCL management 
logic and networking, as long as its so- 
lution does not impede other users; 

> For NCCU, development of exper- 
tise among internal staff and students 


'The VCL's greatest 


value is when an 
entire institution, 
across functional 
units and academic 
disciplines, uses It 
to seamlessly 
access computing 
resources. 
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is invaluable. We are learning to deploy 
our production infrastructure more ef- 


_ ficiently, and our students are acquir- 


ing a valuable and marketable skill set 
involving virtualization; 

>For the predominantly African- 
American community served by NCCU, 


| the related technology transfer is espe- 


cially welcome. As we work with high 
schools in our area, the community at 


_ large is involved directly in technologi- 


cal innovation at a much deeper level 
than it ever was before; and 

> With the emergence of cloud com- 
puting,’ the VCL might also serve as a 
major cloud application, becoming yet 
another software service for the world 
at large while delivering services from 
commercial vendors. 

Though commercial solutions may 
provide the same or similar results for 
the same or lower cost, they don’t (as 
far as we see) allow our extended com- 
munity (particularly in North Carolina) 
to directly participate in the ongoing 
innovation. However, in many ways this 
participation is as vital to us as the ben- 
efit derived from the technology itself. 
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Ee ee eee 
| Computer scientists have made great strides 
in how decision-making mechanisms are used. 


BY VINCENT CONITZER 


Making 
Decisions 
Based on the 
Preferences 
of Multiple 
Agents 


PEOPLE OFTEN MUST reach a joint decision even 
though they have conflicting preferences over the 
alternatives. Examples range from the mundane 
(such as allocating chores among the members 
of a household) to the sublime (such as electing 
a government and thereby charting the course for 
a country). The joint decision can be reached by 
an informal negotiating process or by a carefully 
specified protocol. 

Philosophers, mathematicians, political scientists 
economists, and others have studied the merits of 
various protocols for centuries. More recently, 
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Bll key insights 


| 
= Computer scientists are contributing 


| especially over the last decade, comput- 


er scientists have also become deeply 


| involved in this study. The perhaps sur- 


prising arrival of computer scientists 
on this scene is due to a variety of rea- 


| sons, including the following: 


1. Computer networks provide anew 
platform for communicating prefer- 
ences. Examples include auction Web 
sites, where preferences are commu- 


| nicated in the form of bids, as well as 


Web sites that allow one to rate every- 
thing from the quality of a product to 


| the attractiveness of a person. 


2. Within computer science, there 
is a growing number of settings where 
a decision must be made based on the 


| conflicting preferences of multiple par- 


ties. Examples include determining 
whose job gets to run first on a machine, 
whose network traffic is routed along a 
particular link, or what advertisement is 
shown next to a page of search results. 
3. Greater computing power and 
better algorithms, as well as a more 
computational mind-set in the general 
public, have made it possible to run 
computationally demanding protocols 
that lead to much better outcomes. An 


| example is an auction in which bidders 


can bid on arbitrary sets of items, rath- 
er than just on individual items (I will 
discuss such auctions in more detail 
later). Such protocols were once con- 
sidered theoretical niceties that could 
never be run in practice (to the extent 
they were conceived of at all), but now 
they are actually practical. 

4. The paradigms of computer sci- 
ence give a different and useful perspec- 


| tive on some of the classic problems in 


economics and related disciplines. For 


to and making use of microeconomic 
theory. 


® Better algorithms enable new 
marketplaces and other mechanisms 
that lead to increased economic 
efficiency. 


@ Game theory and mechanism design 
can be used to analyze and address the 
problem of strategic users. 


ILLUSTRATION BY JOHN HERSEY 


example, various results in economics 
prove the existence of an equilibrium, 
but do not provide an efficient method 
for reaching such an equilibrium. 

In this article, I give a (necessar- 
ily incomplete) survey of topics that 
computer scientists are working on in 
this domain. I discuss voting and rank 
aggregation, task and resource alloca- 
tion, kidney exchanges, auctions and 
exchanges, charitable giving, and pre- 
diction markets. lexamine the problem 
of agents acting in their own best inter- 
est, which cuts across most of these ap- 
plications. I also intersperse a few opin- 
ions and predictions about where future 
research should and will go. 


Here, parties whose preferences we 
are interested in are not always human; 
they can also be, among other things, 
robots, software agents, or firms." As 
is done in both computer science and 
economics, I use the term “agent” to 
refer to any one of the parties. 


Settings Without Payments 

Iwill discuss a variety of settings, so itis 
helpful to categorize them somewhat. 
An important aspect is whether the set- 


a In artificial intelligence, there is the study of 
multiagent systems, where agents—for exam- 
ple, robots—often need a protocol for coordi- 
nating on (say) a joint plan. 
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ting allows agents to make payments 
to each other (in some currency). For 
example, in a voting setting, we typi- 
cally do not imagine money changing 
hands among voters (unethical behav- 
ior aside). On the other hand, in an auc- 
tion, we naturally expect the winning 
bidder to pay for her winnings. First, 
I discuss various settings in which no 
money changes hands. 

Voting and rank aggregation. A natu- 
ral and very general approach for decid- 
ing among multiple alternatives is to 
vote over them. In the general theory of 
voting, agents can do more than vote for 
a single alternative: usually, they get to 
rank all the alternatives. For example, if 
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a group of people is deciding where to 
go for dinner together, one of them may 
prefer American food to Brazilian, and 
Brazilian to Chinese. This person’s vote 
can then be expressed as A >B>C. 
Given everyone’s vote, which cui- 
sine should be chosen? The answer is 
far from obvious. We need a voting rule 
that takes as input a collection of votes, 
and as output returns the winning al- 
ternative. A simple rule known as the 
plurality rule chooses the alternative 
that is ranked first the most often. In 
this case, the agents do not really need 
to give a full ranking: it suffices to indi- 
cate one’s most-preferred alternative, 


single alternative. 

Another rule is the anti-plurality 
rule, which chooses the alternative that 
is ranked last the least often. Now, it 
suffices for agents to report their last- 
ranked alternative—they are voting 
against an alternative. Which of these 


two rules is better? It is difficult to say. | 


The former tries to maximize the num- 
ber of agents that are happy about the 
choice; the latter tries to minimize the 
number that are unhappy. Another 
rule, known as the Borda rule, tries to 
strike a balance: when there are three 
alternatives, it will give two points to an 


alternative whenever it is ranked first, | 


one whenever it is ranked second, and 
zero whenever it is ranked last. Many 
other rules, most of them not relying 
on such a points-based scheme, have 
been proposed; social choice theorists 
analyze the desirable and undesirable 
properties of these rules. 

Rather than just choosing a winning 
alternative, most of these rules can 
also be used to find an aggregate rank- 
ing of all the alternatives. For example, 
we can sort the alternatives by their 
Borda score, thereby deciding not only 
on the “best” alternative but also on 
the second-best, and so on. There are 
numerous applications of this that are 
relevant to computer scientists: as an 
illustrative example, one can pose the 
same query to multiple search engines, 


and combine the resulting rankings of | 


pages into an aggregate ranking. 

One particularly nice rule for such 
settings is the Kemeny rule, which finds 
an aggregate ranking of the alterna- 


tives that “minimally disagrees” with | 


the input rankings. More precisely, we 
say that a disagreement occurs when- 


86 COMMUNICATIONS OF THE ACM MARCH 2010 


While enabling 
the use of 
computationally 
demanding voting 
rules is valuable, 

| believe that in 
the near future, 


computer scientists 


so each agent is in fact just voting fora | 


will make much 
larger contributions 
to the theory and 
practice of voting. 
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ever the aggregate ranking ranks one 
alternative above another, but one of 
the voters ranks the latter alternative 


| above the former. The Kemeny rule 


produces a ranking that minimizes the 
total number of such disagreements 
(summed over both voters and pairs of 
alternatives). 

The Kemeny rule has a number of 
desirable properties. For one, if we as- 
sume that there exists an unobserved 
“correct” ranking of the alternatives 
(reflecting their true quality), and each 
voter produces an estimate of this cor- 
rect ranking according to a particular 
noisy process, then the Kemeny rule 
produces the maximum likelihood es- 
timate of the correct ranking."” 

Unfortunately, finding the Kemeny 
rule’s output ranking is computation- 
ally intractable (formally, NP-hard).° 
Nevertheless, there are algorithms that 
can usually solve the problem in prac- 
tice.* As an example, in Duke Univer- 
sity’s computer science department, 
we have used the Kemeny rule to find 
an aggregate ranking of our top Ph.D. 
applicants (based on the rankings of 
the individual admissions committee 
members); using the CPLEX solver, we 
found the Kemeny ranking more than 
100 applicants in under a minute. 

While enabling the use of computa- 


| tionally demanding voting rules such 


as the Kemeny rule is valuable, I believe 
that, in the near future, computer sci- 


_ entists (specifically, the computational 


social choice community) will make 
much larger contributions to the the- 
ory and practice of voting. Real-world 
organizations often need to make not 
just a single decision, but rather deci- 
sions on a number of interrelated is- 
sues. In our dining example, the agents 
need to decide not only ona restaurant, 
but also on the time of the dinner; and 
an agent’s preferred restaurant may 
depend on the time of the dinner. For 
example, an agent may prefer not to 
start a heavy Brazilian steakhouse meal 
shortly before going to bed. 

In some sense, the “correct” way 
of handling this is to make the alter- 
natives combinations of a time and 
a cuisine, so that an agent can say: 
“I prefer an early Brazilian meal to a 
late Chinese meal to...” However, this 
straightforward approach rapidly be- 
comes impractical as more issues are 
combined, because the number of al- 
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ternatives undergoes a combinatorial 
explosion. Ideally, the agents would 
have an expressive language in which 
they can naturally and concisely rep- 
resent their preferences. One good 
language for representing such pref- 
erences is that of CP-nets! (which 
bear some resemblance to Bayesian 
networks). A CP-net allows a voter to 
specify that her preferences for one 
issue depend on the decisions on 
some other issues—for example, “If 
we are eating early, I prefer Brazilian; 


otherwise, I prefer Chinese.” Given a | 


language, we must design new voting 
rules that can operate on preferences 
represented in this language, as well 
as algorithms for running these rules. 

While such combinatorial voting”””* 
is in its infancy, it is easy to see its po- 
tential value by considering how ad hoc 
the methods are that we use today for 
these types of situations. For example, 
members of Congress must vote on 


bills that address many different is- | 
sues, and would often prefer to express | 
preferences on individual issues. Un- | 
fortunately, voting on the individual | 


issues separately can easily lead to un- 
desirable results, because there is no 
guarantee that the issues are resolved 
in a consistent way. For instance, in the 
dining example, it may happen that 
most agents, in general, prefer to eat 
at a Brazilian steakhouse; and that, in 
general, most agents prefer to eat late; 
but most agents do not want to eat at 
a Brazilian steakhouse late at night. If 
they vote on the issues separately, the 
result may well be a late dinner at a 
Brazilian steakhouse. This is why the 
language for expressing preferences 
needs to allow the agents to specify 
some interactions among the issues. 
Allocating tasks and resources. A vot- 
ing scheme allows an agent to submit 
arbitrary preferences over the alter- 
natives. While this generality is nice, 
in many settings, it is not needed, 
because we can safely make some as- 
sumptions about agents’ preferences. 
Let us consider again the example of 
allocating chores in a household. One 
alternative might be: “Alice will vac- 
uum and take out the trash, and Bob 
will do the dishes.” It seems safe to as- 
sume that Bob will prefer this alterna- 
tive to the alternative: “Alice will take 
out the trash, and Bob will vacuum 


and do the dishes,” since the latter al- | 


ternative gives Bob an additional task. 
On the other hand, if we are allocating 
desirable resources instead of cum- 
bersome tasks, then presumably more 
is preferred to less. For example, if the 
agents jointly own a car, an alternative 
might be: “Alice gets to use the car on 
Friday, and Bob gets to use it on Satur- 
day and Sunday,” which Bob presum- 
ably prefers to the alternative “Alice 


gets to use the car on Friday and Satur- | 


day, and Bob gets to use it on Sunday.” 
Here, the use of the car on a particular 
day is a “resource.” These assump- 
tions about preferences—receiving 
more tasks or fewer resources is never 


preferred—are commonly referred to 
as monotonicity assumptions. 


Another reasonable 
about preferences is that an agent only 
cares about which tasks or resources 
are allocated to her. For example, Alice 
is likely to be indifferent between “Alice 
gets the car on Friday, Bob on Saturday, 
and Carol on Sunday” and “Alice gets 
the car on Friday, Bob on Saturday and 
Sunday, and Carol never.” In economics, 
the assumption that an agent, given her 
own resources and tasks, does not care 
about how the remaining resources and 
tasks are allocated to the other agents is 
known as the no-externalities assump- 
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tion. It is not always completely accu- 
rate—Alice may dislike the alternative 
where Carol never gets the car slightly 
more, for example because Carol will 
ask Alice to run errands for her in that 
case—but it is usually assumed. 
Reasonable assumptions such as 
these allow us to get away from the full 
generality of the voting model, and 
make decisions in a way that is more 
specific to task and resource allocation. 
Incidentally, there are many applica- 
tions of task and resource allocation 
within computer science. For example, 
we may allocate time on a supercom- 
puter (or other computing resources) 


instead of time with a car. Also, instead 
of allocating the chores of a household 
to its inhabitants, we may allocate jobs 
to machines. 

So, how should we allocate tasks and 
resources? By far the most common 
approach to this is to assume that the 
agents can make or receive payments 


_ in some currency, which leads us to 
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auction and exchange mechanisms. I 
will discuss such mechanisms in more 
detail later on, but for now, I first con- 
sider methods that do not require pay- 
ments. These methods will generally 
try to find an allocation that is “fair” in 
some sense. 
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One fairness criterion is envy-free- 
ness: We should find an allocation such 
that every agent prefers her bundle 
(that is, the tasks or resources allocat- 
ed to her) to each other agent’s bundle. 
When resources are not divisible, an 
envy-free allocation is not always pos- 
sible, and deciding whether one exists 
is NP-hard.” Moreover, one can argue 
that envy-freeness alone is not suffi- 
cient: even if an allocation is envy-free, 
it is possible that reallocating the tasks 
or resources can make everyone better 
off, in which case we say that the origi- 
nal allocation is not Pareto efficient. 
For example, consider a_ situation 
where one agent owns two left shoes, 
and another agent owns two right 
shoes. Neither agent envies the other’s 
situation, but both agents can be made 
better off by trading a left shoe for a 
right shoe. Pareto efficiency is generally 
considered to be of paramount impor- 
tance. There has been work character- 
izing the computational complexity of 
finding an allocation that is both envy- 
free and Pareto efficient.’ 

In a context where every resource 
is initially owned by one of the agents, 
it makes sense to use an exchange— 
even if, for some reason, payments 
are not possible. The following is one 
such example of an exchange without 
payments. 

Kidney exchanges. In most exchang- 
es, the participants can make payments 
to each other, which facilitates trade. 
However, there are some exchanges in 
which no payments can be made, so 
that only items change hands. These 
are known as barter exchanges. An ex- 
ample is a kidney exchange.” 

Buying and selling kidneys is ille- 
gal in most countries; however, this 
is not the case for swapping kidneys. 
As an example, suppose a patient is in 
need of a kidney transplant, and there 
is a donor who is willing to give up her 
kidney for this particular patient, but 
unfortunately they are not compatible. 
There may be a second patient-donor 
pair in the same situation; moreover, it 
may be the case that the second patient 
is compatible with the first donor, and 
the first patient is compatible with the 
second donor. In this case, it is benefi- 
cial for the two patient-donor pairs to 
swap their donors’ kidneys. 

It is helpful to think of each patient- 
donor pair as a single agent, so that 
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of using an auction 
is that the resource 
ends up with 

the agent who 
values it the most 
(or the task ends 
up with the agent 
who minds doing 

it the least). 

In this case, we 

say that the auction 
results in an 
efficient allocation. 
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each agent has a kidney and needs 
a(nother) kidney. This makes it easier 
to see that more complex trades can 
be beneficial: agent 1’s kidney can go 


| to agent 2, agent 2’s kidney to agent 3, 


and agent 3’s kidney to agent 1—this is 
known as a cycle of length 3. Of course, 


| we can also have cycles of length 4, and 


so on—but it is preferable to not have 


| very long cycles (all the operations in 


a cycle have to be performed simulta- 
neously so that nobody will back out, 
which poses a logistical problem for 
long cycles; also, if last-minute testing 
discovers an incompatibility in the cy- 
cle, the entire cycle collapses). 

Kidney exchanges are a reality, and 
computer scientists are involved in 
them.’ Indeed, they have started work- 


| ing on the computational problem of 


clearing the exchange: the input de- 
scribes which patients are compatible 


| with which of the donors’ kidneys, and 


the output specifies which cycles will 
be used. Using matching algorithms, 
the problem can be solved in polyno- 
mial time if there are no restrictions 
on how long cycles can be, or if only 
cycles of length two are allowed. How- 
ever, if the maximum cycle length is 
three or more, then the problem is NP- 
hard. Nevertheless, in practice, large 
exchanges can be solved to optimality, 
using optimization techniques includ- 
ing column generation and branch- 
and-price search. ! 


Setting with Payments 

We now move on to settings where 
agents can make or receive payments. 
Payments are useful because they allow 


| us to quantify agents’ preferences. In- 
_ formally, agents now need to put their 


money where their mouths are. Pay- 
ments also allow us to transfer happi- 
ness (utility) from one agent to another. 

Auctions and exchanges. In many 
problems that require us to decide on 
an allocation of tasks or resources, it 
makes sense to also determine pay- 
ments that some agents should make 
to other agents. Returning to our exam- 
ple of allocating chores, imagine that 


| the inhabitants are roommates who 
| each pay a share of the rent, and we 
| end up assigning a disproportionate 


number of chores to one of the room- 


_ mates. It seems fair that this roommate 
| should pay a smaller share of the rent, 


which effectively represents a mon- 
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etary transfer to this roommate from 
the others. This arrangement may well 
be to everyone’s benefit, for example, if 


resource ends up with the agent who 
values it the most (or the task ends up | 
with the agent who minds doing it the | 


is worth $8.” Given all this informa- 
tion (for all bidders), an algorithm can 
search through all possibilities for al- 


this roommate is unemployed and has 
plenty of time for completing chores 
but little money to spend on rent. 

Once we start to consider payments 
in the allocation of tasks and resources, 
we are quickly drawn into auction theo- 
ry. (An article on auctions and computer 
science appeared in the August 2008 is- 
sue of Communications.*°) Most people 
are familiar with the English auction 
format, where a single item (or a single 
lot of items) is for sale, and bidders 
call out increasing bids until nobody 
is willing to place a higher bid. There 
are many other auction formats, such 
as the Dutch auction, where the price 
is high initially and bidders stay silent 
as the price gradually decreases, until 
a bidder announces that she wants to 
purchase the item at that price, at which 
point the auction ends immediately. 

Yet another format is the sealed-bid 
format, where bidders write down a 
bid on a piece of paper, place it in an 
envelope, and give it to the auctioneer; 
the auctioneer opens the envelopes 
and declares the highest bid the win- 
ner. Because at this point, we are most- 
ly concerned with how to make a deci- 
sion based on the agents’ preferences, 
rather than with how these preferenc- 
es are communicated, it will be easi- 
est for us to think about the sealed-bid 
format for now. 

If we are assigning a task rather 
than allocating a resource, we can use 
a reverse auction. Here, a bid of $10 on 
a task indicates that the bidder wants 
to be paid $10 for completing the task; 
in this context, the lowest bid wins. 
Generally, in an auction, there is a sell- 
er who receives the payment from the 
winning bidder (or, in a reverse auc- 
tion, a buyer who makes the payment 
to the winning bidder). A seller is not 
always present, however: for example, 
if the agents are trying to decide who 
gets the right to drive the car on a par- 
ticular day, they can hold an auction 
for this right, but in this case it would 
be natural for the winning agent’s pay- 
ment to go to the losing agents. Some 
recent work has been devoted to de- 
signing mechanisms for redistributing 
the auction’s revenue to the agents. 

The key benefit of using an auction 
(or reverse auction) is that generally, the 


least); in this case, we say that the auc- 


tion results in an efficient allocation. | 


If an allocation is inefficient, then it is 
possible to make everyone better off by 
reallocating some of the tasks/resourc- 
es, as well as some money. By this argu- 
ment, efficiency and Pareto efficiency 
are the same concept in this context. 
When there are multiple resources 
(or tasks) that need to be allocated, 
one straightforward way of doing this 
is to hold a separate auction for each 
resource. However, this approach has 
a significant downside, which is relat- 
ed to the following observation: how 
much one of the resources is worth to 


an agent generally depends on which | 


other resources that agent receives. 
For example, if Alice already has the 
right to drive the car on Friday, then 
probably having it on Thursday as well 
is not worth much to her because she 
can already run her errands on Friday. 
In contrast, if she does not have the 
car on any other day, then having it on 
Thursday is probably very valuable to 
her. When having one resource makes 
having another worth less, then we say 
that the resources are substitutes. On 
the other hand, Alice may want to go 
on a two-day trip, in which case having 


the car on Thursday is worth nothing | 


unless she also has it on Friday. When 
having one resource makes having an- 
other worth more, then we say that the 
resources are complements. 
Substitutability and complementa- 
rity make it suboptimal to sell the re- 
sources in separate auctions, for the fol- 
lowing reason. If the auction for the right 
to use the car on Thursday is run first, 
in some sense Alice does not know how 


locating the items to the bidders, and 
find the most efficient one—that is, the 
allocation that maximizes the sum of 
the agents’ valuations. 

Similarly, in a combinatorial reverse 
auction, each bidder expresses how 
much she wants to be compensated 
for every bundle of tasks that might be 
assigned to her. Yet another variant is 
a combinatorial exchange, in which 
agents can take the role of a seller as 
well as the role of a buyer, and they 
express combinatorial valuations for 
these more complex trades. These vari- 
ants face many of the same issues as 


- combinatorial auctions.” 


much she values it, because she does not | 


yet know whether she will win the auc- 
tions for the other days. This uncertain- 
ty can result in inefficient allocations. 


Combinatorial auctions'’* provide a | 


solution. In a (sealed bid) combinato- 
rial auction, a bidder’s bid does not 


| just indicate how much the bidder val- 


ues each individual item; rather, the 
bidder expresses a value for every non- 
empty subset (bundle) of the items. For 
example, Alice’s bid could say: “Having 
the car on Thursday is worth $5 to me, 
having it on Friday is worth $6, and 


having it on both Thursday and Friday | 
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Once there are more than a few 
items in a combinatorial auction, the 
straightforward approach in which 
each bidder explicitly states how much 
every bundle of items is worth to her 
becomes completely impractical, since 
there are exponentially many bundles. 
Instead, we can let bidders use an ex- 
pressive bidding language that allows 
them to express natural valuation func- 
tions concisely (similarly to the CP-nets 
that I mentioned in the context of com- 
binatorial voting). 

A simple example is the XOR lan- 
guage, in which a bidder explicitly ex- 
presses valuations for some (but gen- 
erally not all) bundles. For example, if 
the items for sale are {a, b,c}, a bidder 
could bid ({a}, 5) XOR ({b, c}, 10). This 
indicates that she values the bundle 
{a} at 5; the bundle {b, c} at 10; the 
bundle {a, b} at 5, since it is not explic- 
itly listed, but it contains the bundle 
{a};and the bundle {a, b,c} at 10, since 
the highest-value listed bundle that 
it contains is {b, c} (the use of XOR, 
rather than OR, indicates that we can- 
not simply add up the values of the two 
listed bundles to get 15). 

The choice of bidding language af- 
fects issues such as the computational 
complexity of the winner determina- 
tion problem—that is, the problem of 
finding the efficient allocation of the 
items, given the bids. Even if each bid- 
der only bids on a single bundle, the 
combinatorial auction winner determi- 
nation problem is NP-hard”* and inap- 
proximable.”? On the other hand, it is 
known that under certain conditions 
on the bids, the winner determination 
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problem can be solved in polynomial 
time.’’ For example, if bidders bid only 
on bundles of at most two items, then 
the winner determination problem 


can be solved in polynomial time, via | 


matching algorithms. In general, the 
runtime heavily depends on how the 


bids are generated: in some cases, it is 


possible to scale to hundreds of thou- 
sands of items and tens of thousands 
of bids, whereas in other cases, current 
techniques have trouble scaling beyond 
tens of items and hundreds of bids.” 
Instead of letting bidders bid only 
once—that is, requiring them to give all 
their valuation information at once—it 


is possible to use an iterative (or pref- 
erence elicitation) format, in which 
bidders repeatedly respond to queries 
about their valuations.” In a single- 
item setting, this corresponds to the dis- 


tinction between a sealed-bid auction, | 


in which each bidder bids only once, and 
an English auction, in which the auc- 
tioneer repeatedly queries the bidders 
for higher valuations. Using preference 
elicitation in a combinatorial auction 
has the potential to greatly decrease the 
total amount of valuation information 
that the bidders need to communicate, 
while still finding the efficient alloca- 
tion. This leads to the following inher- 
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ently computational question: how 
should the procedure for querying the 
bidders be designed to minimize the re- 
quired amount of communication? 

Combinatorial auctions are more 
than a theoretical curiosity: they are 
used in practice in settings where the 
items display significant complemen- 
tarities. Prominent examples include 
auctions for radio spectrum, as well as 
reverse auctions for strategic sourcing 
(in which large companies set up con- 
tracts with suppliers).'?7!° 

In a context that is perhaps closer 
to home for most computer scientists, 
auctions are now also used by the lead- 


a a 


ing search engines to allocate the ad- 
vertising space on their search results 
pages. This is another example of an 
auction with multiple resources for 
sale: any search performed by a user 
results in multiple advertisement slots 
becoming available. These auctions are 
called sponsored search auctions, and 
they introduce a variety of new issues. 
For example, in a typical sponsored 
search auction, an advertiser pays only 
if the user clicks on her ad, rather than 
every time her ad is displayed. The 
prominent place sponsored search 
auctions occupy in the business mod- 
els of the companies that use them has 
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helped to bring about an explosion of 
research on them in recent years;'? a 
thorough discussion would easily mer- 
it its own article. 

While auctions and exchanges are 
the settings with payments that have 
attracted the most attention from com- 
puter scientists, there are numerous 
other, more specialized applications. 
Some of these are discussed here. 

Charitable giving. Let us consider a 
person who is contemplating donating 
some money (Say, $100) to a charitable 
cause. It may seem that the potential 
donor should just evaluate what else 
she would do with the money, and 
whether that is worth more to her than 


| to see the charity receive $100. While 


this is a reasonable way to proceed, 
there are other options if there are mul- 
tiple potential donors. 

Suppose there is a second donor 


| that is making the same decision. Also, 


let us suppose each donor concludes 
that she would slightly prefer spend- 
ing $100 on other things over seeing the 
charity receive $100. Hence, using the 
straightforward decision procedure de- 
scribed earlier, neither donor will give 
any money. However, it may well be that 
even with these preferences, each donor 
would prefer the outcome where both do- 
nors give. That is, each donor may prefer 
the outcome where the charity receives 
$200, and she contributes only $100 of 
this. This is because, other things being 
equal, they would like the other donor to 
give as much money to the charity as pos- 
sible. (Unlike settings discussed earlier 
in this article, this is inherently a setting 


| with a type of externality: a donor has 


preferences over what another donor 
does with her money.) However, with 
the straightforward decision procedure, 
neither donor has the ability to influence 
what the other gives. This is the reason 
that neither donor gives to the charity. 
In fact, there is a way in which a do- 
norcan affect another donor’s decision. 
Suppose that one of the two donors can 
make a binding matching offer, com- 
mitting to donating the same amount 
as the other donor. In this case, the oth- 
er donor has a choice between giving 
$100, resulting in a $200 total contribu- 
tion to the charity, and giving nothing, 
resulting in a $0 total contribution to 
the charity. Given the preferences that 
we assumed, the donor will in fact give 
$100, thereby forcing the other donor 
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to give $100 as well. It should be noted 
that both donors (as well as the char- 
ity) prefer this outcome to the outcome 
that results when they make their deci- 
sions separately (which is for both of 
them to give $0). 

In practice, a matching offer is gen- 
erally made by a single large donor, of- 
fering to match donations by multiple 
smaller donors. As we just saw, simple 
matching offers can lead to improved re- 
sults, but they are still restrictive. What 
can be done if multiple donors want to 
make their donations conditional on the 
others’ donations? This type of expres- 
siveness can lead to even better out- 
comes, but one has to be careful to avoid 
circularities. For example, consider the 
case where A will match B’s contribu- 
tion, and B will match A4’s contribution. 


We proposed a system in which each | 


donor can make her donation condi- 
tional on the total donated to the chari- 
ty by all the donors combined." In fact, 
the framework allows for donations to 
be conditional on the total amounts 
donated to multiple charities. We also 
designed algorithms for determining 
the final outcome based on everyone’s 
offers, which is NP-hard in general but 
tractable in special cases. We used this 
system to collect donations for the vic- 
tims of the Indian Ocean tsunami, and 
later for the victims of Hurricane Ka- 
trina. While the total amount collected 
from these events was small (about 
$1,000), the events gave some insight 
into how donors use the system. About 
75% of the donors made their dona- 
tions conditional on the total amount 
collected, suggesting that donors ap- 
preciated being able to do so. One in- 
teresting observation is that the effec- 
tiveness of the system (in terms of how 
much participants were willing to do- 
nate) apparently depended on whose 
donations the donors were matching. 
The tsunami event was conducted 
among the participants of a workshop, 
so that to some extent everyone knew 
everyone else; in contrast, the hurri- 
cane event was open to anyone. The 
tsunami event was more successful, 
perhaps because the participants knew 
whose donations they were matching. 
More recent systems also allow donors 
to make their donations conditional 
only on the donations from selected 
parties, taking social network structure 
into account." I believe this innovation 


Are the agents 
incentivized to 
communicate 

their preferences 
and beliefs 
truthfully, or can 
they benefit from 
misreporting them? 


MARCH 2010 


VOL. 53 


review articles 


has the potential to make such systems 
much more successful. 

Prediction markets. The markets I 
have considered so far generally pro- 
duce a tangible outcome, such as an 
allocation of resources. The participat- 
ing agents have different preferences 
over the possible outcomes, and the 
market is a mechanism for finding a 
good outcome for these preferences. 
The type of market that I discuss next 
is a little different. 

A prediction market*’ concerns a 
particular future event whose outcome 
is currently uncertain. For example, 
the event could be an upcoming sports 
game, or an election. The agents trad- 
ing in the prediction market generally 
cannot (significantly) influence the out- 
come of the event; the goal of the market 
is merely to predict the outcome of the 
event, based on the collective informa- 
tion and reasoning of the participating 
agents. Typically, the market predic- 
tion is in the form of a probability: for 
example, the market’s assessment may 
be that the probability that team A will 
beat team B is 43%. Prediction markets 
are quite popular on the Web: examples 


_ include the Iowa Electronic Markets as 


well as Intrade. Each of these runs pre- 
diction markets on a variety of events; 
it appears that the political events (for 
example, predicting the winner of an 
election) are the most popular. 

A common way to run a prediction 
market is as follows. We create a se- 


| curity that pays out (say) $1 if team A 
_ wins, and $0 if team A does not win. We 


then let agents trade these securities. 
Eventually, this should result in a rela- 
tively stable market price: for example, 
the security may trade at about $0.43. 
This can be interpreted to mean that 
the market (that is, the collection of 
agents) currently believes the probabil- 
ity that team A will win is about 43%. 

If an agent disagrees with this as- 
sessment, then she should buy or sell 
some of the securities. For example, if 
an agent believes that the probability is 
46% (even after observing the current 
market price of $0.43), then she can 
buy one of the securities at price $0.43, 
and her expected payout for this secu- 
rity will be 46% - $1 = $0.46. As she buys 
more securities, the market price will 
eventually go up to $0.46. 

If the agent believes the probabil- 
ity is 40%, then she should sell some 
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of the securities. If she currently does 
not own any of the securities, she can 
either short-sell, so that she effec- 
tively owns a negative number of the 
securities; or, she can buy securities 
for the complementary outcome(s): 
for example, if the match between A 
and B is guaranteed to have a winner, 
she can buy a security that pays out if 
B wins. The prices of these securities 
are related: if the match is guaran- 
teed to have a winner, then the sum 


of the current prices of the security | 


that pays out $1 if A wins, and the 
security that pays out $1 if B wins, 
must always be equal to $1. If it were 
not, then there would be an opportu- 
nity for arbitrage: a combination of 
deals that leads to a risk-free profit. 


Specifically, if the sum of the current _ 


prices is (say) $0.9, then one can buy 
both of the securities, and have a guar- 
anteed profit of $0.1, because one of 
them must pay out. If the sum is (say) 
$1.1, then one can sell both securities, 
which again will result in a guaranteed 
profit of $0.1. 

One complication for standard pre- 
diction markets is that many real-world 
events have exponentially many pos- 
sible outcomes. For example, consider 
a U.S. presidential election. In a sense, 
every state (and the District of Colum- 
bia) has a separate outcome, so that 
even with two presidential candidates 
there are 2°' possible outcomes of the 
election. Of course, we can have a 
separate market for each of the states, 
but this will still result in some missed 
opportunities. 

For example, I may believe that 
with probability 80%, the Democratic 
candidate will win at least one of Flor- 


ida, Ohio, and North Carolina. It is | 


not immediately clear how this belief 
should translate into trading strate- 
gies for securities for the individual 
states. I would much rather simply 
buy a security that pays out exactly 
if the Democratic candidate wins at 
least one of Florida, Ohio, and North 
Carolina. Now, suppose there is an- 
other trader who believes that with 
probability 30%, the Republican can- 
didate will win all of Florida, Ohio, 


b Actually, this is slightly inaccurate: the states | 


of Maine and Nebraska do not use a winner- 
takes-all system, further increasing the num- 
ber of possible outcomes. 
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North Carolina, and Missouri, and 
would like to buy a security that pays 
out precisely under these conditions. 
Ideally, the prediction market could 
automatically create both of these 
securities, charge me (say) $0.79 for 
mine, and charge the other trader 
(say) $0.29 for hers. Both of us will ac- 
cept these deals; moreover, since at 
most one of our two securities will pay 
out, the prediction market is guaran- 


| teed a risk-free profit of at least $0.08. 


Such combinatorial prediction mar- 
kets have recently started to receive 
attention.® Running such markets re- 
quires solving computationally hard 
problems: for example, determining 
whether there is a risk-free combina- 
tion of securities that can be created is 
generally NP-hard. 


Strategic Behavior: Game 
Theory and Mechanism Design 


_ So far, I have focused on allowing 


agents to communicate their prefer- 
ences (or, in the case of prediction 
markets, their beliefs), ideally in an ex- 
pressive and natural way, as well as on 
making good decisions based on what 
was communicated. I have ignored one 
key aspect, though: Are the agents in- 
centivized to communicate their prefer- 
ences and beliefs truthfully, or can they 
benefit from misreporting them? 

For example, in an election, an 
agent’s true preferences may be a > 
b > c. However, if the agent realizes 
that a has no chance of winning, she 
may instead choose to vote b> a> c, 
so as to at least maximize the chances 
of b winning. Similarly, in an auction, 
an agent who values the item for sale 
at $10 may instead bid only $5, in the 
hope of paying less. While such strate- 


| gic behavior may be beneficial for the 


agent who engages in it, it generally 


| makes the quality of the overall out- 


come worse, because now it is chosen 
based on input that does not reflect 
the true preferences. 

These considerations lead us into 
mechanism design. Informally stated, 
the goal of mechanism design is to de- 


| sign rules for choosing the outcome 


that lead to good results even in set- 
tings where agents are strategic—that 
is, an agent will lie about her preferenc- 
es if this is in her best interest. Mecha- 


| nism design has been studied primar- 


ily (until recently, almost exclusively) in 


economics.‘ Evaluating the quality ofa | 


mechanism is nontrivial: it requires be- 
ing able to predict how multiple strate- 
gic agents will act in each other’s pres- 
ence. Game theory provides tools for 
making such predictions.‘ (An article 
about computer science and game the- 
ory appeared in the August 2008 issue 
of Communications.**) 

The standard approach to mecha- 
nism design is simply to ensure it is 
never beneficial for an agent to lie about 
her preferences. A result known as the 
revelation principle suggests that this 
approach is, from the point of view of 
strategic behavior, without loss of opti- 
mality. A mechanism under which it is 
never beneficial to lie is called truthful. 


Unfortunately, it turns out that in gen- | 


eral voting settings, no good truthful 
mechanisms exist, by a result known as 
the Gibbard-Satterthwaite impossibil- 
ity theorem.'>* 

For settings such as auctions and ex- 
changes, where payments can be made, 
there are much more positive results. For 
one, if our goal is to allocate the resourc- 
es efficiently, there are rules for specifying 
how much agents should pay that make 
the mechanism as a whole truthful. 

A simple example of such a payment 
rule is the second-price sealed-bid auc- 
tion for a single item. In this auction, 
the bidder with the highest bid wins, 
but only pays the second-highest bid. As 
a result, the winning bidder’s bid does 
not affect the price she pays; so the only 
effect that misreporting her valuation 
for the item can possibly have is that 
she does not win, which would make 
her worse off. Similarly, the only effect 
that misreporting can possibly have 
for a losing bidder is that she ends up 
winning at a price that is too high for 
her, which would make her worse off. 
So, a bidder is always best off reporting 
her true valuation for the item—that is, 
the second-price sealed-bid auction is 
truthful. This scheme can be general- 
ized to combinatorial auctions and ex- 
changes (and other settings), resulting 
in the class of Vickrey-Clarke-Groves 
(VCG) mechanisms.”!°°° 


c In 2007, Hurwicz, Maskin, and Myerson re- 
ceived the Nobel Prize in Economics for their 
fundamental work on mechanism design. 

d Game theory has led to two other Nobel Prizes 
in Economics: Nash, Selten, and Harsanyi re- 
ceived one in 1994, and Aumann and Schelling 
in 2005. 


The issues studied in mechanism 
design interact with the computation- 
al issues I discussed before in subtle 
ways. For example, suppose we want 
to run a combinatorial auction using 
a VCG mechanism. Technically, this 
means we should always solve the win- 
ner determination problem to optimal- 
ity, that is, find the most efficient allo- 
cation—which we know is NP-hard. If 
we do not always succeed at finding 
the most efficient allocation, then the 
resulting mechanism will, in general, 
not be truthful. A significant amount 
of research has addressed the problem 
of designing polynomial-time approxi- 
mation algorithms that, in combina- 
tion with the right payment rule, are 
truthful.?! More generally, the problem 
of designing efficient algorithms that 
can be made truthful is the main topic 
of algorithmic mechanism design.” 


| This line of research has also been ex- 


tended to distributed settings without 
a trusted center." 

We can use computers not only to 
run existing mechanisms, but also to 
design new mechanisms from scratch. 
That is, for a given setting, we let an al- 
gorithm search through the space of all 
possible truthful mechanisms for an 


| optimal one.’ This approach is called 


automated mechanism design. Find- 


ing an optimal mechanism is computa- 


tionally much harder than running an 


_ existing mechanism, and as a result au- 


tomated mechanism design has so far 
been successful only on small instanc- 


es. Nevertheless, some real instances | 


are in fact small, and even for larger in- 
stances, solving a simplified version can 
give some helpful intuition. Automated 
mechanism design can also be used to 
solve some small instances of a general 
mechanism design problem; then, a 
human mechanism designer can try to 
identify a pattern in these small solu- 
tions, conjecture the general solution, 
and prove it analytically. In this way, 
automated mechanism design can con- 
tribute to microeconomic theory. This 
methodology has recently been used to 
design mechanisms for redistributing 
an auction’s revenue to the bidders ina 
truthful way (for example, Guo and Co- 
nitzer'’), and the methodology is start- 
ing to be adopted more widely. 

It is not always the mechanism de- 
signer or the party running the mecha- 
nism that faces hard computational 
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problems. Under some mechanisms, it 
is computationally hard for the agents 
to find the strategically optimal action 
to take. This is not the case for truthful 
mechanisms, where strategically opti- 
mal behavior simply means telling the 
truth. However, no reasonable voting 
rule is truthful in sufficiently general 


| settings (by the Gibbard-Satterthwaite 


theorem mentioned above). Ithas been 
shown that in a variety of voting set- 
tings, it is NP-hard to find the strategi- 
cally optimal vote(s) to cast, even if the 
other agents’ votes are already known 
(for example, Bartholdi,? Conitzer,"! 
and Hemaspaandra'’). This is a case 
where computational hardness can 
be desirable: it can be argued that if a 
voter cannot find a way of misreporting 
her preferences that benefits her, then 
she will presumably tell the truth. For 
now, the impact of this type of result is 
limited by the fact that NP-hardness is 
a worst-case measure, and it may well 
be the case that it is easy to find an ef- 
fective way of misreporting one’s pref- 
erences most of the time. 

Another important issue is that the 
mechanisms from traditional mecha- 
nism design mainly guard against a 
single type of manipulation: misre- 
porting one’s preferences. However, 
mechanisms run in highly anonymous 
environments such as the Internet are 
vulnerable to other types of manipula- 
tion. Specifically, it is often possible for 
a single agent to pretend to be multiple 
agents (known as false-name manipu- 
lation or a Sybil attack). The standard 
mechanisms for guarding against 
misreporting, such as the VCG mecha- 
nisms, are generally not robust to false- 
name manipulation. A mechanism that 
is robust to it—that is, under which no 
agent ever benefits from using multiple 
identifiers—is said to be false-name- 
proof,” and a growing body of research 
attempts to design such mechanisms. 

A final direction in mechanism de- 
sign concerns extending its techniques 
to dynamic environments, where deci- 
sions must be made over time as addi- 
tional information enters the system. 
Recent years have seen rapid progress 
in generalizing mechanism design tech- 
niques from static to dynamic settings.”° 
For example, sponsored search auctions 
are, in principle, a good application do- 
main for such techniques: the demand 
for, as well as the supply of, advertise- 
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ment slots next to the results for specific 
searches changes over time, but alloca- 
tion decisions must be made now. 


Conclusion 
In this article, I have considered a num- 
ber of settings in which a decision needs 
to be made based on the preferences of 
multiple agents, as well as mechanisms 
for reaching the decision. People have 
been using such mechanisms for millen- 
nia, and have studied them formally for 
centuries (although their game-theoretic 
analysis has taken place mostly in the last 
50 years). Still, computer scientists are 
fundamentally changing these mecha- 
nisms and how they are being used. 
Increased computing power and 


better algorithms enable the use of | 


mechanisms, such as the Kemeny vot- 
ing rule and combinatorial auctions, 
that were once considered impractical. 
Also, the Internet provides a great plat- 
form for these mechanisms: it makes 
it easy for spatially distributed users to 
communicate their preferences to the 
mechanism, and they will generally be 
forced to communicate them ina pre- 
cise way (for example, a bidder will have 
to enter a number on a Web site rather 
than vaguely communicating her pref- 
erences over the phone), which makes 
it possible to run the mechanism auto- 
matically. I (speculatively) imagine that 
in the future, more Web-based mecha- 
nisms will be oriented around social 
networking sites such as Facebook 
and MySpace; the charitable donations 
work" is a good example of how such 
social network structure can be used. 
Computer scientists are also encoun- 
tering mechanism design problems 
in their own work, for example, when 
shared computing resources need to 
be allocated to users. Finally, the para- 
digms of computer science give a dif- 
ferent and useful perspective on some 
classic problems in economics. 

This article has summarized a num- 
ber of applications where computer sci- 
entists have already become involved in 
the design of markets and other proto- 
cols for making decisions based on the 
preferences of multiple agents. I antici- 
pate that the number and importance 
of such applications will grow steeply 
in the years to come. One major reason 
for this is that computer scientists and 
economists interested in market design 
have grown closer together in recent 


94 COMMUNICATIONS OF THE ACM MARCH 2010 


years, andarenowseenworkingtogether | 
more often (this is necessitated by high- 
value applications such as sponsored 
search auctions). Computer scientists 
have caught up on many of the key tech- 
niques developed in the microeconom- | 
ics theory literature. On the other side, | 
economists are becoming increasingly 
familiar with techniques from modern 
computer science. This is a very nice ex- | 
ample where “computational thinking” | 
is being exported to another discipline | 
(which is certainly not to say that there 
were no prior instances of economists 
thinking computationally). | 
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A First Glimpse c of 
Cryptography’s Holy Grail 


By Daniele Micciancio 


WE ALL KNow how to protect our private 
or most valuable data from unauthor- 
ized access: encrypt it. When a piece 
of data M is encrypted under a key K to 
yield a ciphertext C=Enc,(M), only the 
intended recipient (who knows the 
corresponding secret decryption key 
S) will be able to invert the encryption 
function and recover the original plain- 
text using the decryption algorithm 
Dec, (C) =Dec, (Enc, (M))=M. 
Encryption today—in both symmet- 
ric (where S=K) and public key versions 
(where S remains secret even when K 
is made publicly available)—is widely 
used to achieve confidentiality in many 
important and well-known applica- 
tions: online banking, electronic shop- 
ping, and virtual private networks are 


just a few of the most common applica- | 


tions using encryption, typically as part 
of a larger protocol, like the TLS proto- 
col used to secure communication over 
the Internet. 

Still, the use of encryption to protect 
valuable or sensitive data can be very 
limiting and inflexible. Once the data 
M_ is encrypted, the corresponding ci- 
phertext C behaves to a large extent as 
a black box: all we can do with the box 
is keep it closed or opened in order to 
access and operate on the data. 

In many situations ‘this may be 
exactly what we want. For example, 
take a remote storage system, where 
we want to store a large collection of 
documents or data files. We store the 
data in encrypted form, and when we 
want to access a specific piece of data, 
we retrieve the corresponding cipher- 
text, decrypting it locally on our own 
trusted computer. But as soon as we 
go beyond the simple data storage/ 
retrieval model, we are in trouble. Say 
we want the remote system to provide 
a more complex functionality, like a 
database system capable of indexing | 
and searching our data, or answering | 
complex relational or semistructured | 
queries. Using standard encryption 
technology we are immediately faced 
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with a dilemma: either we store our 
data unencrypted and reveal our pre- 
cious or sensitive data to the storage/ 
database service provider, or we en- 
crypt it and make it impossible for the 
provider to operate on it. 

If data is encrypted, then answering 
even a simple counting query (for ex- 
ample, the number of records or files 
that contain a certain keyword) would 
typically require downloading and de- 
crypting the entire database content. 

Homomorphicencryptionisaspecial 
kind of encryption that allows operating 
on ciphertexts without decrypting them; 
in fact, without even knowing the de- 
cryption key. For example, given cipher- 
texts C=Enc,(M) and C!'=Enc,(M'), 
an additively homomorphic encryp- 
tion scheme would allow to combine 
C and C' to obtain Enc, (M+M'). Such 
encryption schemes are immensely 
useful in the design of complex cryp- 
tographic protocols. For example, an 
electronic voting scheme may collect 
encrypted votes C,;=Enc,(M;) where 
each vote M, is either 0 or 1, and then 
tally them to obtain the encryption of 
the outcome C=Enc,(M,+..+M,). 
would be decrypted by an appropriate 
authority that has the decryption key 
and ability to announce the result, but 
the entire collection and tallying pro- 
cess would operate on encrypted data 
without the use of the secret key. (Of 
course, this is an oversimplified proto- 
col, as many other issues must be ad- 
dressed in a real election scheme, but 


This | 


it well illustrates the potential useful- | 


ness of homomorphic encryption.) 

To date, all known homomorphic 
encryption schemes supported essen- 
tially only one basic operation, for ex- 
ample, addition. But the potential of 
fully homomorphic encryption (that 
is, homomorphic encryption sup- 
porting arbitrarily complex computa- 
tions on ciphertexts) is clear. Think 
of encrypting your queries before you 
send them to your favorite search en- 
gine, and receive the encryption of 
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the result without the search engine 
even knowing what the query was. 
Imagine running your most compu- 
tationally intensive programs on your 
large datasets on a cluster of remote 
computers, as in a cloud computing 
environment, while keeping both your 
programs, data, and results encrypted 


| and confidential. The idea of fully ho- 


momorphic encryption schemes was 
first proposed by Rivest, Adleman, 
and Dertouzos the late 1970s, but re- 
mained a mirage for three decades, 
the never-to-be-found Holy Grail of 
cryptography. At least until 2008, 
when Craig Gentry announced a new 
approach to the construction of fully 
homomorphic cryptosystems. 

In the following paper, Gentry de- 
scribes his innovative method for 
constructing fully homomorphic en- 
cryption schemes, the first credible 


| solution to this long-standing major 


problem in cryptography and theoret- 
ical computer science at large. While 
much work is still to be done before 
fully homomorphic encryption can 
be used in practice, Gentry’s work is 
clearly a landmark achievement. Be- 
fore Gentry’s discovery many members 
of the cryptography research commu- 
nity thought fully homomorphic en- 
cryption was impossible to achieve. 
Now, most cryptographers (me among 
them) are convinced the Holy Grail ex- 
ists. In fact, there must be several of 
them, more or less efficient ones, all 
out there waiting to be discovered. 
Gentry gives a very accessible and 
enjoyable description of his general 
method to achieve fully homomorphic 
encryption as well as a possible instan- 
tiation of his framework recently pro- 
posed by van Dijik, Gentry, Halevi, and 
Vaikuntanathan. He has taken great 
care to explain his technically complex 
results, some of which have their roots 
in lattice-based cryptography, using a 
metaphorical tale of a jeweler and her 
quest to keep her precious materials 
safe, while at the same time allowing 
her employees to work on them. 
Gentry’s homomorphic encryption 
work is truly worth a read. 


Daniele Misciancia is a professor in the computer science 
and engineering department at the University of California, 
San Diego. 
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Computing Arbitrary Functions 
of Encrypted Data 


By Craig Gentry 


Abstract 

Suppose that you want to delegate the ability to process your 
data, without giving away access to it. We show that this 
separation is possible: we describe a “fully homomorphic” 
encryption scheme that keeps data private, but that allows a 
worker that does not have the secret decryption key to com- 
pute any (still encrypted) result of the data, even when the 
function of the data is very complex. In short, a third party 
can perform complicated processing of data without being 
able to see it. Among other things, this helps make cloud 
computing compatible with privacy. 


1. INTRODUCTION 
Is it possible to delegate processing of your data without giv- 
ing away access to it? 

This question, which tests the tension between conve- 
nience and privacy, has always been important, but seems 
especially so now that we are headed toward widespread use 
of cloud computing. To put everything online “in the cloud,” 
unencrypted, is to risk an Orwellian future. For certain types 
of data, such as medical records, storing them off-site unen- 
crypted may be illegal. On the other hand, encrypting one’s 
data seems to nullify the benefits of cloud computing. Unless 


I give the cloud my secret decryption key (sacrificing my pri- | 


vacy), what can I expect the cioud to do with my encrypted 
data except send it back to me, so that I can decrypt it and 
process it myself? 

Fortunately, this is a false dilemma, or at least conve- 
nience and privacy can be reconciled to a large extent. 
For data that is encrypted with an “ordinary” encryption 
scheme, it is virtually impossible for someone without the 
secret decryption key (such as the cloud) to manipulate the 
underlying data in any useful way. However, some encryp- 
tion schemes are homomorphic or malleable. They let anyone 
manipulate (in a meaningful way) what is encrypted, even 
without knowing the secret key! 

In this paper, we describe the first fully homomorphic 
encryption (FHE) scheme, where “fully” means that there 
are no limitations on what manipulations can be per- 
formed. Given ciphertexts c,, ...,c, that encrypt m,, ..., m, with 
our scheme under some key, and given any efficiently com- 
putable function f, anyone can efficiently compute a cipher- 
text (or set of ciphertexts) that encrypts f(m,, ..., m,) under 
that key. In short, this permits general computations on 
encrypted data. No information about m,, ..., m, or the value 
of f(m,, ...,m,) is leaked. 

This means that cloud computing is consistent with 
privacy. If I want the cloud to compute for me some func- 
tion f of my (encrypted) data m,, ..., m,—for example, 


this function could be “all files containing ‘CACM’ or 
‘Communications’ within three words of ‘ACM’”—I send 
a description of f to the cloud, which uses the scheme’s 
malleability to compute an encryption off(m,,...,m,), which 
I decrypt. The cloud never sees any unencrypted data. 
If | want, I can even use the scheme to encrypt a descrip- 
tion of f, so that the cloud does not even see what I am 
searching for. 

Rivest, Adleman, and Dertouzos® suggested that fully 
homomorphic encryption may be possible in 1978, shortly 
after the invention of the RSA cryptosystem,° but were unable 
to find a secure scheme. As an application, they described our 
private cloud computing scenario above, though of course 
they used different terminology. There are many other appli- 
cations. Homomorphic encryption is useful whenever it is 
acceptable if a response (e.g., to a search engine query) is 
encrypted. 

Below, we begin by describing homomorphic encryp- 
tion in more detail. Then, we describe a concrete scheme 
due to van Dijk, Gentry, Halevi, and Vaikuntanathan,’ 
which uses only simple integer operations, and is a con- 
ceptually simpler version of the first scheme by Gentry,” * 
which uses lattices. Toward the end, we discuss the 
scheme’s (rather slow) performance. Throughout, we try 
to make the ideas more tangible by constantly return- 
ing to a physical analogy: a jewelry store owner, Alice, 
who wants her workers to process raw precious materials 


| into intricately designed rings and necklaces, but who is 


afraid to give her workers complete access to the materials 
for fear of theft. 


2. HOMOMORPHIC ENCRYPTION 


2.1. Alice’s jewelry store 
At first, the notion of processing data without having 
access to it may seem paradoxical, even logically impos- 
sible. To convince you that there is no fallacy, and to give 
you some intuition about the solution, let us consider an 
analogous problem in (a fictional version of) the “physical 
world.” 

Alice owns a jewelry store. She has raw precious mate- 
rials—gold, diamonds, silver, etc.—that she wants her 
workers to assemble into intricately designed rings and 


This paper draws from the STOC 2009 paper “Fully 
Homomorphic Encryption Using Ideal Lattices,” my 
thesis, and a recent manuscript co-authored with van 
Dijk, Halevi, and Vaikuntanathan. 
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necklaces. But she distrusts her workers and assumes that 
they will steal her jewels if given the opportunity. In other 
words, she wants her workers to process the materials into 
finished pieces, without giving them access to the materials. 
What does she do? 

Here is her plan. She uses a transparent impenetrable 
glovebox, secured by a lock for which only she has the key. 
She puts the raw precious materials inside the box, locks it, 


and gives it to a worker. Using the gloves, the worker assem- | 


bles the ring or necklace inside the box. Since the box is 
impenetrable, the worker cannot get to the precious materi- 


als, and figures he might as well return the box to Alice, with | 


the finished piece inside. Alice unlocks the box with her key 
and extracts the ring or necklace. In short, the worker pro- 
cesses the raw materials into a finished piece, without hav- 
ing true access to the materials. 

The locked impenetrable box, with raw precious materials 
inside, represents an encryption of the initial data m,, ..., 7, 
which can be accessed only with the secret decryption key. 
The gloves represent the homomorphism or malleability 
of the encryption scheme, which allows the raw data to be 
manipulated while it is inside the “encryption box.” The 
completed ring or necklace inside the box represents the 
encryption of f(m,, ..., m,), the desired function of the ini- 
tial data. Note that “lack of access” is represented by lack of 
physical access, as opposed to lack of visual access, to the 
jewels. (For an analogy that uses lack of visual access, con- 
sider a photograph developer’s darkroom.) 

Of course, Alice’s jewelry store is only an analogy. 
It does not represent some aspects of homomorphic 
encryption well, and taking it too literally may be more 
confusing than helpful. We discuss some flaws in the anal- 


ogy at the end of this section, after we describe homomor- | 


phic encryption more formally. Despite its flaws, we return 
to the analogy throughout, since it motivates good ques- 
tions, and represents some aspects of our solution quite 
well—most notably, “bootstrapping,” which we discuss in 
Section 4. 


2.2. Homomorphic encryption: functionality 
An encryption scheme é€ has three algorithms: KeyGen,, 


Encrypt,, and Decrypt,, all of which must be e/fficient—that | 


is, run in time poly(A), polynomial in a security parameter 
i. that specifies the bit-length of the keys. In a symmetric, or 
secret key, encryption scheme, KeyGen, uses i to generate a 
single key that is used in both Encrypt, and Decrypt,, first to 
map a message to a ciphertext, and then to map the cipher- 
text back to the message. In an asymmetric, or public key, 
encryption scheme, KeyGen, uses A to generate two keys—a 
public encryption key pk, which may be made available to 
everyone, and a secret decryption key sk. As a physical anal- 
ogy for an asymmetric encryption scheme, one can think of 
Alice’s public key as a padlock, which she constructs and 
distributes, that can be locked without a key. Anyone can put 
a message inside a box secured by Alice’s padlock (encrypt), 
and mail it via a public channel to Alice, but only Alice has 
the key needed to unlock it (decrypt). 

A homomorphic encryption scheme can be either sym- 
metric or asymmetric, but we will focus on the asymmetric 
98 COMMUNICATIONS OF THE ACM NO. 3 
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case. It has a fourth algorithm Evaluate,, which is associ- 
ated to a set F, of permitted functions. For any function fin 
F and any ciphertexts c,, ..., c, with c, — Encrypt, (pk, m,), 
the algorithm Evaluate (pk, f, c,, ..., c,) outputs a ciphertext 
c that encrypts f(m,, ..., ,)—i.e., such that Decrypt,(sk, c) = 
f(m,, ..., m,). (For convenience, we will assume that fhas one 
output. If fhas k outputs, then Evaluate, outputs k cipher- 


| texts that encrypt f(m,, ..., m,) collectively.) As shorthand, we 


say that € can handle functions in F.. For a function f not 
in ¥,, there is no guarantee that Evaluate, will output any- 
thing meaningful. Typically Evaluate, is undefined for such 
a function. 

As described thus far, it is trivial to construct an encryp- 
tion scheme that can handle all functions. Just define 
Evaluate, as follows: simply output c < (f,¢,, ..., ¢,), without 
“processing” the ciphertexts at all. Modify Decrypt, slightly: 
to decrypt c, decrypt c,, ..., ¢, to obtain m,, ..., m,, and then 


apply f to these messages. 


But this trivial solution obviously does not conform to the 
spirit of what we are trying to achieve—to delegate the data 
processing (while maintaining privacy). The trivial solution 
is as if, in Alice’s jewelry store, the worker simply sends the 
box (which need not have gloves) back to Alice without doing 
any work on the raw precious materials, and Alice unlocks 
the box, extracts the materials, and assembles the ring or 
necklace herself. 

So, how do we formalize what it means to delegate? 
Intuitively, the purpose of delegation is to reduce one’s 
workload. We can formalize this in terms of the running 
times (i.e., complexity) of the algorithms. Specifically, we 
require that decrypting c (the ciphertext output by Evaluate.) 
takes the same amount of computation as decrypting c, (a 
ciphertext output by Encrypt,). Moreover, we require that c 
is the same size as c,. We refer to these as the compact cipher- 
texts requirement. Again, the size of c and the time needed 
to decrypt it do not grow with the complexity off; rather, they 
are completely independent of f (unless f has multiple out- 
puts). Also, of course, the complexity of Decrypt,, as well as 
the complexity of KeyGen, and Encrypt,, must remain poly- 
nomial in A. 

€ is fully homomorphic if it can handle all functions, has 
compact ciphertexts, and Evaluate, is efficient in a way that 
we specify below. The trivial solution above certainly is not 
fully homomorphic, since the size of the ciphertext output 
by Evaluate,, as well as the time needed to decrypt it, depend 
on the function being evaluated. In terms of Alice’s jewelry 
store, our definition of fully homomorphic captures the best- 
case scenario for Alice: her workers can assemble arbitrarily 
complicated pieces inside the box, but the work needed to 
assemble has no bearing on the work Alice needs to do to 
unlock the box and extract the piece. 

We want our fully homomorphic scheme to be efficient 
for the worker, as well. In particular, we want the complex- 
ity of Evaluate —like the other algorithms of e—to depend 
only polynomially on the security parameter. But clearly its 
complexity must also depend on the function being evalu- 


| ated. How do we measure the complexity of f? Perhaps the 


most obvious measure is the running time T, of a Turing 
machine that computes f. We use a related measure, the size 


S,ofa boolean circuit (i.e., the number of AND, OR, and NOT 
gates) that computes f. Any function that can be computed 
in T,steps ona Turing machine can be expressed as a circuit 
with about 7, gates. More precisely, S,< k- T,- log T, for some 


small constant k. Overall, we say that Evaluate. is efficient if 
there is a polynomial g such that, for any function f that is | 


represented bya circuit of size Sis Evaluate (pk, f,c,,..-,¢,) has 
complexity at most S,- g(). 

The circuit representation of fis also useful because it 
breaks the computation of f down into simple steps—e.g., 


AND, OR, and NOT gates. Moreover, to evaluate these gates, | 
_ time and guesses correctly with probability 1/2 + €, then €, 


it is enough to be able to add, subtract, and multiply. (In 


fact, it is enough if we can add, subtract and multiply mod- | 


ulo 2.) In particular, for x, y € {0, 1}, we have AND(x, y) = xy, 
OR(x, y)=1-(1 - x)(1 — y) and NOT(x) = 1 — x. So, to obtain 
a fully homomorphic encryption scheme, all we need is a 
scheme that operates on ciphertexts so as to add, subtract, 
and multiply the underlying messages, indefinitely. 

But is the circuit representation of f—or some arithmetized 
version of it in terms of addition, subtraction, and multiplica- 
tion—necessarily the most efficient way to evaluate f? In fact, 
some functions, like binary search, take much longer on a 
Turing machine or circuit than on a random access machine. 
On a random access machine, a binary search algorithm on ¢ 
ordered items only needs to “touch” O(log t) of its inputs. 

A moment’s thought shows that random-access speed- 
ups cannot work if the data is encrypted. Unless we know 
something a priori about the relationship between f and 
m,, ...,m, the algorithm Evaluate (pk, f, c,, ..., ¢,) must touch 
all of the input ciphertexts, and therefore have complexity 
at least linear in the number of inputs. To put it another 
way, if Evaluate, (for some reason) did not touch the second 
half of the ciphertexts, this would leak information about 
the second half of the underlying messages—namely, their 
irrelevance in the computation of f—and this leakage would 
contradict the security of the encryption scheme. While 
Evaluate, must have running time at least linear in ¢ as an 
unavoidable cost of the complete privacy that homomorphic 


encryption provides, a trade-off is possible. If 1am willing to | 
_ algorithm that works for a large set of functions. 


reveal—e.g., in the cloud computing context—that the files 
that I want are contained in a certain 1% of my data, then 
I may help the cloud reduce its work by a factor of 100. 

Another artifact of using a fixed circuit representation of 
fis that the size of the output—i.e., the number of output 
wires in the circuit—must be fixed in advance. For example, 
when I request all of my files that contain a combination 
of keywords, I should also specify how much data I want 
retrieved—e.g., 1MB. From my request, the cloud will gener- 
ate a circuit for a function that outputs the first megabyte of 
the correct files, where that output is truncated (if too much 
of my data satisfies my request), or padded with zeros (if too 
little). A moment’s thought shows that this is also unavoid- 
able. There is no way the cloud can avoid truncating or 
padding unless it knows something a priori about the rela- 
tionship between the function and my data. 


2.3. Homomorphic encryption: security 
In terms of security, the weakest requirement for an encryp- 
tion scheme is one-wayness: given the public key pk and a 


| ciphertext c that encrypts unknown message m under pk, it 


should be “hard” to output m. “Hard” means that any algo- 
rithm or “adversary” A that runs in poly(A) time has a negligi- 
ble probability of success over the choices of pk and m (i.e., the 
probability it outputs m is less than 1/1‘ for any constant k). 
Nowadays, we typically require an encryption scheme to 
have a stronger security property, called semantic security 
against chosen-plaintext attacks (CPA)': given a ciphertext c 
that encrypts either m, or m,, it is hard for an adversary to 


_ decide which, even if it is allowed to choose m, and m,. Here, 


“hard” means that if the adversary A runs in polynomial 


called A’s advantage, must be negligible. If this advantage 
is nonnegligible, then we say (informally) that the adversary 
breaks the semantic security of the encryption scheme. 

If an encryption scheme is deterministic—i.e., if there is 
only one ciphertext that encrypts a given message—then it 
cannot be semantically secure. An attacker can easily tell 
whether c encrypts m,, by running c, < Encrypt(pk, m,) and 
seeing if cand c, are the same. A semantically secure encryp- 
tion scheme must be probabilistic—i.e., there must be many 
ciphertexts that encrypt a given message, and Encrypt, must 
choose one randomly according to some distribution. 

One can prove the (conditional) one-wayness or semantic 
security of an encryption scheme by reducing a hard prob- 
lem to breaking the encryption scheme. For example, sup- 
pose one shows that if there is an efficient algorithm that 


| breaks the encryption scheme, then this algorithm can be 


used as a subroutine in an efficient algorithm that factors 
large numbers. Then, under the assumption that factor- 
ing is hard—i.e., that no poly(A)-time algorithm can factor 
d-bit numbers—the reduction implies that the encryption 
scheme must be hard to break. 

Semantic security of ahomomorphic encryption scheme 
is defined in the same way as for an ordinary encryption 
scheme, without reference to the Evaluate, algorithm. If 
we manage to prove a reduction—i.e., that an attacker that 
breaks €can be used to solve a hard problem like factoring— 
then this reduction holds whether or not € has an Evaluate, 


To understand the power of semantic security, let us 
reconsider our cloud computing application. Sometime 
after storing her encrypted files in the cloud, Alice wants the 
cloud to retrieve the files that have a certain combination 
of keywords. Suppose that in its response, the cloud sends 
ciphertexts that encrypt the first three files. Can’t the cloud 
just see that the first three encrypted files that it is storing 
for Alice happen to encrypt the same content as the three 
files that it sends to Alice? Not if the scheme is semantically 
secure. Even though some of the stored ciphertexts encrypt 
the same content as the sent ciphertexts, the cloud cannot 
see this, because semantic security guarantees that it is hard 
to tell whether two ciphertexts encrypt the same content. 

Intuitively, it seems like the Evaluate, algorithm should 
make € easier to break, simply because this additional algo- 
rithm gives the attacker more power. Or, to put it in terms of 


the physical analogy, one would think that the easiest way 


to get inside the glovebox is to cut through the gloves, and 
that, the more flexible the gloves are, the easier the glovebox 
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is to compromise; this suggests that, the more malleable 
the encryption scheme is, the easier it is to break. There is 
some truth to this intuition. Researchers! * showed that if 
€ is a deterministic fully homomorphic encryption scheme 
(or, more broadly, one for which it is easy to tell whether two 
ciphertexts encrypt the same thing), then ¢ can be broken 
in subexponential time, and in only polynomial time (i.e., 
efficiently) on a quantum computer. So, malleability seems 
to weaken the security of deterministic schemes. But these 
results do not apply to semantically secure schemes, such 
as ours. 


2.4. Some flaws in the physical analogy 
The physical analogy represents some aspects of homomor- 


phic encryption poorly. For example, the physical analogy | 
suggests that messages that are encrypted separately are in | 
different “encryption boxes” and cannot interact. Of course, | 


this interaction is precisely the purpose of homomorphic 
encryption. To fix the analogy, one may imagine that the 


entirely satisfactory.) 

Another flaw is that the output ft, ..., ™,) may have signifi- 
cantly fewer bits than m,, ...,,, whereas in the analogy (absent 
significant nuclear activity inside the glovebox) the conserva- 
tion of mass dictates that the box will have at least as much 


material inside when the worker is done as when he started. | 
Finally, in Alice’s jewelry store, even though a worker cannot — 
extract the materials from a locked glovebox, he can easily tell 


whether or not a box contains a certain set of materials—i.e., 
the gloveboxes do not provide “semantic security.” 


3. A SOMEWHAT HOMOMORPHIC ENCRYPTION 
SCHEME 

On our way to fully homomorphic encryption, we begin by 
constructing a somewhat homomorphic encryption scheme 
é that can handle a limited class F, of permitted functions. 
Evaluate, (pk, f, c,, ..., ¢,) does not work for functions f that 
are too complicated. Later, we will show to use € to obtain 
fully homomorphic encryption. 


3.1. Meanwhile in Alice’s jewelry store 
After figuring out how to use locked gloveboxes to get her 


workers to process her precious materials into fancy rings | 


and necklaces, Alice puts in an order with Acme Glovebox 
Company. Unfortunately, the gloveboxes she receives are 
defective. After a worker uses the gloves for 1 min, the gloves 


stiffen and become unusable. But some of the fanciest | 


pieces take up to an hour to assemble. Alice sues Acme, but 


meanwhile she wonders: Is there some way I can use these | 


defective boxes to get the workers to securely assemble even 
the most complicated pieces? 

She notices that the boxes, while defective, do have a 
property that might be useful. As expected, they have a one- 


way insertion slot, like post office mail bins. But they are also | 


flexible enough so that it is possible to put one box inside 
another through the slot. She wonders whether this property 
might play a role in the solution to her problem, etc. 
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3.2. Our somewhat homomorphic scheme 
Our somewhat homomorphic encryption scheme e, 
described below, is remarkably simple.° We describe it first 
as a symmetric encryption scheme. As an example param- 
eter setting, for security parameter i, set N = A, P = A? and 
Q=22. 

An Encryption Scheme: 


KeyGen (A): The key is a random P-bit odd integer p. 

Encrypt,(p, m): To encrypt a bit m € {0, 1}, set m' tobea 
random N-bit number such that m' = m mod 2. Output 
the ciphertext c — m' + pq, where q is a random Q-bit 
number. 

Decrypt,(p, c): Output (c mod p) mod 2, where (c mod p) is 
the integer c’ in (—p/2,p/2) such that p divides c -c’. 


Ciphertexts from €are near-multiples of p. We call (c mod p) 
the noise associated to the ciphertext c. It is the distance 


| to the nearest multiple of p. Decryption works because the 
gloveboxes have a one-way insertion slot like the mail bins | 
used by the post office. Then, messages can be added to | 
the same encryption box as they arrive. (Even this fix is not | 


noise is m', which has the same parity as the message. We 
call a ciphertext output by Encrypt a fresh ciphertext, since it 
has small (N-bit) noise. 

How is the scheme homomorphic? By simply adding, 
subtracting, or multiplying the ciphertexts as integers, we 
can add, subtract, or multiply (modulo 2) the underlying 
messages. However, complications arise, because these 
operations increase the noise associated to resulting cipher- 
texts. Eventually, the noise become so large that decryption 
no longer reliably returns the correct result. 

Homomorphic Operations: 


Add_(c,,¢,), Sub(c,,c,), Mult,(c,, c,): the output ciphertext ¢ 
ISG $C,,6,=G, Ore, «¢,. 

Evaluate (f, c,, ..., ¢,): Express the boolean function fas a 
circuit C with XOR and AND gates. Let C' be the same 
circuit as C, but with XOR and AND gates replaced by 
addition and multiplication gates over the integers. 
Let f' be the multivariate polynomial that corresponds 


toC'. Outputc<fi(c,, ..., ¢,). 


Let us check that ciphertexts output by Evaluate, decrypt 
correctly. As a warm-up, let us consider Mult,. Let c = c, -c,, 
where c,’s noise is m',, which has the same parity as the mes- 
sage m,. We have that 


= ' U ' 
c=m,-m,+ pq 


for some integer g'. As long as the noises are small enough 
so that |’, «m',|< p/2, we have that 


(c mod p)= mm’, 


and therefore (c mod p) mod 2 = m,+m,, as it should be. We 
will consider the evaluation of more complicated functions 
momentarily, in Section 3.3. 

So far we only described a symmetric homomorphic 
encryption scheme. Turning it into a public-key scheme is 
easy, but adds some complexity. As before, the secret key 
is p. The public key consists of a list of integers that are 


essentially “encryptions of zero.” The list has length poly- 
nomial in A. To encrypt a bit m, the ciphertext c is (essen- 
tially) m plus a random subset sum of the ciphertexts in the 
public key. If these ciphertexts have very small noise, the 


resulting ciphertext will also have small noise, and decryp- | 


tion will work properly: (c mod p) mod 2 will equal m, as 
before. 


3.3. How homomorphic is it? 


What is the set of permitted functions that our homomor- | 


phic encryption scheme € can handle? 

To answer this question, we need to analyze how the 
noise grows as we add and multiply ciphertexts. Encrypt, 
outputs a fresh ciphertext with a small noise, at most N bits. 
As we Add, Sub,, or Mult, ciphertexts, the output ciphertext 
becomes more noisy. Multiplication tends to increase the 
noise faster than addition or subtraction. In particular, for 
ciphertexts c, and c, with k,- and k,-bit noises, the ciphertext 
c<c,+c, has (roughly) (k, + k,)-bit noise. 

What happens when we perform many Add,, Sub,, and 
Mult, operations, as prescribed by the circuit representing 
a function f? Similar to what we saw above with multiplica- 
tion, we have 


FC jpg) = FE yp vm, HE SG! 


for some integer q', where m’, is the noise associated to c,. 
If |fiGn',, .., m)|< p/2, then (f'(c,, ..., ¢,) mod p) equals 
fi(m’,, .., m,). And if we reduce this result modulo 2, we 
obtain the correct result: f(™m,, ..., 7,). 

In short, the functions that ¢ can handle are those for 
which |f" (a,, ..., a,)| is always less than p/2 if all of the a, are 
at most N bits. 

€ is already quite powerful. As an example, it can han- 
dle an elementary symmetric polynomial of degree d in t 
variables, as long as 2“. ({) < p/2, which is true (roughly) 
when d < P/(N - log t). For our suggested parameters, this 
degree can be quite large: A/(log t) = Q(A/log 4). That € can 


evaluate polynomials of such high degree makes it “homo- | 


morphic enough” for many applications. For example, it 
works well when fis a highly parallelizable function—e.¢., 
a basic keyword search—in which case f has fairly low 
degree. 


3.4. Semantic security and approximate GCDs 
Euclid showed that, given two integers x, and x,, it is easy to 
compute their greatest common divisor (gcd). But suppose 


that x, =s,+p-+q,andx,=s,+p-q, are near-multiples of p, | 


with s, ands, much smaller than p. When pis only an approx- 
imate gcd, is it still possible to compute p efficiently—i.e., in 
time polynomial in the bit-lengths of x, and x,? Not in gen- 
eral, as far as we know. 

In fact, ifwe sample s,, p and q,with A, A”, and A’ bits (simi- 
lar to our scheme €), then the approximate gcd problem seems 
to remain hard even if we are given arbitrarily many samples 
x, = 8, + p+ q, rather than just two. For these parameters, 
known attacks—including those using continued fractions 
and simultaneous diophantine approximation—take time 
essentially exponential in i. 


Moreover, we can reduce the approximate gcd problem 
to the security of our somewhat homomorphic encryption 
scheme. That is, we can prove that an attacker cannot effi- 
ciently break the semantic security of our encryption scheme 
unless the approximate gcd problem is easy. 


| 4. BOOTSTRAPPABLE ENCRYPTION 


4.1. Alice’s eureka moment 
One night, Alice dreams of immense riches, caverns piled 
high with silver, gold, and diamonds. Then, a giant dragon 
devours the riches and begins to eat its own tail! She awakes 
with a feeling of peace. As she tries to make sense of her 
dream, she realizes that she has the solution to her prob- 
lem. She knows how to use her defective boxes to securely 
delegate the assembly of even the most intricate pieces! 
Like before, she gives a worker a glovebox, box #1, con- 
taining the raw materials. But she also gives him several addi- 


_ tional gloveboxes, where box #2 contains (locked inside) the 


key to box #1, box #3 contains the key to box #2, and so on. 
To assemble an intricate design, the worker manipulates the 
materials in box #1 until the gloves stiffen. Then, he places 
box #1 inside box #2, where the latter box already contains a 
the key to box #1. Using the gloves for box #2, he opens box 
#1 with the key, extracts the partially assembled trinket, and 
continues the assembly within box #2 until its gloves stiffen. 
He then places box #2 inside box #3, and so on. When the 


| worker finally finishes his assembly inside box #n, he hands 


the box to Alice. 

Of course, Alice observes, this trick does not work unless 
the worker can open box #i within box #(i + 1), and still 
have time to make a little bit of progress on the assembly, 
all before the gloves of box #(i+ 1) stiffen. But as long as the 
unlocking operation (plus a little bit of assembly work) takes 
less than a minute, and as long as she has enough defective 
gloveboxes, then it is possible to assemble any piece, no 
matter how complicated! 


4.2. A dream deciphered 
In the analogy, the defective gloveboxes represent our some- 


_ what homomorphic encryption scheme, which can perform 


Add, Sub, and Mult operations on ciphertexts for a little 
while—it can handle functions in a limited set ¥ —until the 
noise becomes too large. What we would like to do is use this 
somewhat homomorphic scheme to construct a fully homo- 
morphic one. 

As before, box #1 with the precious materials inside 
represents the ciphertexts that encrypt the initial data. Box 
#(i + 1) with the key for box 7 inside represents an encrypted 
secret decryption key—i.e., sk, encrypted under pk,,,. 

In the analogy, Alice discovers that there is only one thing 
that her workers really need to be able to do in less than 
1min with the gloves, aside from performing a very small 
operation on the piece: unlock box #i within box #(7+ 1) and 


| extract the piece. It will turn out that there is only one func- 


tion that our scheme € really needs to be able to handle, with 
a tiny bit of room left over to perform one more Add, Sub, 
or Mult: the decryption function (which is like unlocking the 
“encryption box”). 
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If ¢ has this self-referential property of being able to 
handle its own decryption function (augmented by a single 
gate), we say that it is bootstrappable. As we will show, if € 
is bootstrappable, then one can use é€ to construct a fully 
homomorphic encryption scheme €'. 


4.3. Bootstrappable to fully homomorphic 


Suppose that €is bootstrappable. In particular, suppose that | 
€ can handle the following four functions: the decryption | 


function, expressed as a circuit D, of size polynomial in A, as 
well as D, augmented by an Add, Sub, or Mult gate modulo 2. 
(D, augmented by Add consists of two copies of D, connected 
by an Add gate.) We will show that this is a complete set of cir- 
cuits, in the sense that if these four circuits are in F, then one 
can construct from €a scheme €' that is fully homomorphic. 

As a warm-up, suppose that ciphertext c, encrypts the bit 
m under key pk,. Suppose also that we have an encrypted 
secret key: let sk, be a vector of ciphertexts that encrypt the 
bits of sk, under pk, via Encrypt,(pk,, sk,,). Consider the fol- 
lowing algorithm. 

Recrypt,(pk,, D,, sk,, ¢,). 


Generate C, via Encrypt, (pk,, c,,) over the bits ofc, 
Output c <— Evaluate, (pk,, D., sk,, ¢,) 

The decryption circuit D, has input wires for the bits of a 
secret key and the bits of a ciphertext. Above, Evaluate, takes 
in the bits of sk, and c,, each encrypted under pk,. Then, € is 


used to evaluate the decryption circuit homomorphically. As | 
long as € can handle D.,, the output c is an encryption under | 


pk, of Decrypt,(sk,, c,) = m. Recrypt, therefore outputs a new 
encryption of m, but under pk,. 

One fascinating thing about Recrypt, is that the mes- 
sage m is doubly encrypted at one point, first under pk, 
and next under pk,. Ordinarily, the only thing one can do 
with a doubly encrypted message is to peel off the outer 
encryption first, and then decrypt the inner layer. However, 
in Recrypt,, the Evaluate, algorithm is used to remove the 
inner encryption, just like Alice unlocks box #i while it is 
inside box #(7 + 1). 

It is also useful to imagine that € is our somewhat homo- 
morphic encryption scheme from Section 3, and consider 
what Recrypt, does to the noise of the ciphertexts. Evaluating 
D, removes the noise associated to the first ciphertext 
under pk, (because, of course, decryption removes noise), 
but Evaluate, simultaneously introduces new noise while 
evaluating the ciphertexts under pk,. As long as the new 
noise added is less than the old noise removed, we have 
made “progress.” A similar situation holds in Alice’s jewelry 


store. When the worker extracts the piece from the used- | 


up glovebox #i, this process simultaneously uses up the 
gloves of box #(i + 1). We have made “progress” as long as 
the process does not leave box #(i + 1)’s gloves completely 
used-up. 

Of course, our goal is to perform actual operations on 
underlying messages, not merely to obtain a new encryption 
of the same message. So, suppose that ¢ can handle D, aug- 
mented by some gate—e.g., Add; call this augmented circuit 
D,44- If, and c, are two ciphertexts that encrypt m, and m,, 
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respectively, under pk,, and we compute ¢, and, as before, 
as ciphertexts encrypting the bits of the ciphertexts under 
pk,, then we have that 


c < Evaluate, (pk,, D,,4, Sk, €, €,) 


is an encryption under pk, of m, © m,. 

By recursing this process, we get a fully homomor- 
phic encryption scheme. The public key in é! consists of 
a sequence of public keys (pk,, .... pk,,,) and a chain of 
encrypted secret keys sk,, ..., sk,, where sk, is encrypted 
under pk, ,. To evaluate a function f in e', we express f as 
a circuit, topologically arrange its gates into levels, and 
step through the levels sequentially. For a gate at level 7 +1 
(e.g., an Add gate), we take as input the encrypted secret key 
sk, and a couple of ciphertexts associated to output wires 
at level i that are under pk,, and we homomorphically evalu- 
ate D, ,, to get a ciphertext under pk, , associated to a wire at 
level i+ 1. Finally, we output the ciphertext associated to the 
output wire of f. 

Putting the encrypted secret key bits sk,, ..., sk, in €'’s 
public key is not a problem for security. These encrypted 
secret-key bits are indistinguishable from encryptions of 0 
as long as € is semantically secure. 


4.4. Circular security 

Strictly speaking, ¢' does not quite meet our definition of 
fully homomorphic encryption, since the complexity of 
KeyGen, grows linearly with the maximum circuit depth we 
want to evaluate. (Fortunately, Encrypt,, and Decrypt, do 
not depend at all on the function fbeing evaluated.) 

However, suppose that € is not only bootstrappable, but 
also circular-secure—that is, it is “safe” to reveal the encryp- 
tion of a secret key sk, under its own associated public key 
pk,. Then, we can simplify KeyGen,'. We do not need distinct 
public keys pk, for each circuit level and an acyclic chain of 
encrypted secret keys. Instead, the public key in €' can con- 
sist merely of a single public key pk and a single encrypted 
secret key sk (sk under pk), where pk is associated to all lev- 
els of the circuit. This approach has the additional advan- 
tage that we do not need to decide beforehand the maximal 
circuit depth complexity of the functions that we want to be 
able to evaluate. 

For most encryption schemes, including our some- 
what homomorphic scheme (as far as we know), revealing 
an encryption of sk under pk does not lead to any attack. 
However, it is typically difficult to prove that an encryption 
scheme is circular-secure. 

The issue of circular security also fits within our physical 
analogy. Suppose that a key is locked inside the very same 
box that the key could open from the outside. Is it possible to 
use the gloves and key to open the box from the inside? If so, it 
would be a strange lock. Similarly, encryption schemes that 
are insecure in this setting tend to be contrived. 


5. SOMEWHAT HOMOMORPHIC TO 

BOOTSTRAPPABLE 

Is our somewhat homomorphic encryption scheme from 
Section 3 already bootstrappable? Can it handle its own 


decryption circuit? Unfortunately, as far as we can tell, € | 
can almost handle D,, but not quite. So, we modify € slightly, 
constructing a new (but closely related) somewhat homo- 
morphic scheme é€ that can handle essentially the same 
functions that € can, but whose decryption circuit is simple 
enough to make €’ bootstrappable. 


5.1. Alice gets her hands dirty 

After her dream, Alice rushes to her store to see if her idea 
works. She locks box #1 and puts it inside box #2. Working 
with the gloves of box #2, she tries to unlock box #1 in less 
than 1 min. The thickness of the gloves and the stickiness of 
the lock combine to make it impossible. 

She is despondent until she remembers that she has a 
special grease that makes her locks less sticky. This time, 
she locks box #3 and puts it inside box #4. She also puts her 
bottle of grease inside box #4. Working with the gloves of 
box #4, she squirts some grease on the lock and then tries to 
unlock it. But the gloves stiffen before she can finish. 

Then, she thinks: why didn’t I grease the box’s lock before 
putting it inside the other box? That way, I wouldn’t waste 
my valuable time with the gloves greasing the lock. 

She locks box #5, greases its lock, and then puts it inside 
box #6. Working with gloves, she tries the lock again. This 
time it works, despite the clumsiness of the gloves! 

At last, she has a system that lets her securely delegate the 
processing of her precious materials into arbitrarily compli- 
cated pieces! Her workers just need to apply the grease to 
each box before they put it inside the next box. She can hardly 
wait to put the system in place the following morning. 


5.2. Greasing the decryption circuit 
In our somewhat homomorphic encryption scheme é€ from 
Section 3, the decryption function is: 


m <(cmod p) mod 2 
Equivalently, but more simply, the equation is: 
m<-LSB(c) XOR LSB(Lc/p]), 


where LSB takes the least significant bit and[-|rounds to the 
nearest integer. This is equivalent, since (c mod p)=c-p- 
Lc/p|. Since p is odd, we have that (c mod p) mod 2 = ¢ -¢/p] 
mod 2. This is just the XOR of the least significant bits of c 
and|c/pl. 

In the decryption circuit D,, computing the LSB is imme- 
diate: the circuit simply does not have output wires for the 
more significant bits. Computing an XOR also takes only 
one gate. If the decryption function is complicated, it must 
be because computing |c/p|is complicated. Is the function 
f(p, ©) =Lc/p| (with the few steps afterward) something that 
€écan handle? If so, € is bootstrappable, and can be used to 
construct a fully homomorphic encryption scheme. 

Unfortunately, even a single multiplication of long 
numbers—namely, c with 1/p—seems to be too complex 
for € to handle. The reason is that c and 1/p each need to be 
expressed with at least P ~ log p bits of precision to ensure 
that f(p, c) is computed correctly. When you multiply two 


P-bit numbers, a bit of the result may be a high-degree poly- 
nomial of the input bits; this degree is also roughly P. We 
saw that ecan handle an elementary symmetric polynomial 
in t variables of degree (roughly) d < P/(N - log t). However, 
€ cannot handle even a single monomial of degree P, 
where the noise of output ciphertext is upper-bounded 
by (2%)? = p% > p/2. Consequently, € does not seem to be 
bootstrappable. 

However, if we are willing to get our hands dirty by tin- 
kering with € to make the decryption function simpler, 
we eventually get a scheme é* that is bootstrappable. The 
main idea of the transformation is to replace e’s decryp- 
tion function, which multiplies two long numbers, with 
a decryption function that adds a fairly small set of num- 
bers. In terms of the bits of the addends, this summation 
corresponds to a polynomial of fairly low degree that e* can 
handle. 

Let us go through the transformation step by step, begin- 
ning with KeyGen... The transformation uses a couple of 
integer parameters: 0 < a< B. 


+ KeyGen,.(A): Run KeyGen,(A) to obtain keys (pk, sk), 
where sk is an odd integer p. Generate a set y = 
Wp 9 Vp) of rational numbers in [0, 2) such that there 
is a sparse subset Sc {1,..., B} of size awith 2, .y,~ 1/p 
mod 2. Set sk* to be the sparse subset 5, encoded as 
avector s € {0, 1} with Hamming weight a. Set pk* <— 
(pk, y). 


The important difference between KeyGen,, and KeyGen, 
is that KeyGen,, includes a hint about the secret integer 
p—namely,aset ofnumbersy that containsa (hidden) sparse 
subset that sums to 1/p (to within a very small error, and up 
to addition by an even number). This hint is the “grease,” 
which will be used in Encrypt,, and Decrypt,,. Although it is 
technically not the decryption key sk*, the integer p still can 
be used to decrypt a ciphertext output by Encrypt,,, so reveal- 
ing this hint obviously impacts security, a point we elaborate 
on in Section 5.4. 


+ Encrypt..(pk*, m): Run Encrypt(pk, m) to obtain 
ciphertext c. Fori € {1, ..., B}, set z,<— c-y, mod 2 keep- 
ing only about log @ bits of precision after the binary 
point for each z, The ciphertext c* consists of c and 
Ze enh ge 


The important point here is that the hint y is used to 
postprocess a ciphertext c output by Encrypt,, with the objec- 
tive of leaving less work remaining for Decrypt,, to do. 

This sort of two-phase approach to decryption has 
been used before in server-aided cryptography. (See cites in 
Gentry’.) In that setting, a user wants to minimize its cryp- 
tographic computation—e.g., because it is using a con- 
strained device, such as a smartcard or handheld. So, it 
outsources expensive computations to a server. To set up 
this arrangement, the user (in some schemes) must give the 
server a hint y that is statistically dependent on its secret 
key sk, but which is not sufficient to permit the server to 
decrypt efficiently on its own. The server uses the hint to 
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process a ciphertext directed to the user, leaving less work 
for the user to do. In our setting, the encrypter or evaluator 


plays the role of the server, postprocessing the ciphertext so | 


as to leave less work for the decryption algorithm to do. 


+ Decrypt,.(sk*, c*): Output LSB(c) XOR LSB(Lz, sz,)). 
Decryption works, since (up to small precision errors) 
Y,$Z,=2,C+sy,=clp mod 2. 


To ensure that the rounding is correct despite the 
low precision, we need c to be closer (than the trivial p/2) 
to a multiple of p (say, within p/16). This makes F_, smaller 
than F,, since ¥,, is limited to functions where |/f(q,, ..., 
a,)| < p/16 when the a, are N bits. This makes only a small 
difference. 

The important point regarding Decrypt, is that we replace 
the multiplication of c and 1/p with a summation that con- 
tains only a nonzero terms. The bits of this summation can 
be computed by a polynomial of degree @- polylog(a), which 
€* can handle if we set @ to be small enough. 


° Add. (pk, c*, c*): Extract c, and c, from c* and cx,Runc | 


< Add (pk, c,,c,). The output ciphertext c* consists of c, 
together with the result of postprocessing c with 
y -Mult,,(pk*, c*, c*) is analogous. 


5.3. How to add numbers 

To see that e* can handle the decryption function plus an 
additional gate when ais set small enough, let us consider the 
computation of the sum £, s,z,. In this sum, we have B num- 
DELS 5 45 Asp each a, expressed in binary (Gigs «+ @,_,) with 
¢ = O(log a), where at most of the a,’s are nonzero (since the 


Hamming weight of s is o). We want to express each bit of the | 


output as a polynomial of the input bits, while minimizing 
the degree of the polynomial and the number of monomials. 

Our approach to the problem is to add up the column 
of LSBs of the numbers—computing the Hamming weight 
of this column—to obtain a number in binary representa- 
tion. Then, we add up the column of penultimate bits, etc. 
Afterward, we combine the partial results. More precisely, 
forj € [0,-/], we compute the Hamming weight b, repre- 
sented in binary, of (a, |, ais Ay). Then, we add up the (+1 
numbers b,, ..., 2 ‘b_, to obtain the final correct sum. 

Conveniently, the binary representation of the Hamming 
weight of any vector x € {0,1}‘ is given by 


(Cy Ltoge| Cy» +++» X,) mod 2, ..., €,0 (x,, ..., x,) mod 2) 


where e(x,, ..., X,) is the ith elementary symmetric polyno- | 


mial over x,, ..., x, These polynomials have degree at most t. 
Also, we know how to efficiently evaluate the elementary 
symmetric polynomials. They are simply coefficients of the 
polynomial p(z) = HE (z—x,). An important point is that, in 
our case, we only need to evaluate the polynomials up to 
degree a, since we know a priori that each of the Hamming 
weights is at most @ We saw in Section 3.3 that we can 
handle elementary symmetric polynomials in ¢ variables 
of degree up to about A/log t = Q(A/log A) for our suggested 
parameters. We can set a to be smaller than this. 
VOL, 53 NO. 3 
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The final step of computing the sum of the b’s does not 
require much computation, since there are only / + 1 = O(log 
a) of them. We get that a ciphertext encrypting a bit of the 
overall sum has noise of at most N- a@- g(log a) bits for some 
polynomial g of low degree. If the final sum modulo 2 is 
(by, b”,...) in binary, then the rounding operation modulo 
2 is simply b¢ XOR b’.. With the additional XOR operation 
in decryption, and possibly one more gate, the noise after 


| evaluating the decryption function plus a gate has at most 


N-a-h(log @) bits for some polynomial h. 

The scheme eé* becomes bootstrappable when this noise 
has at most log(p/16) = P — 4 bits. For example, this works 
when @=A/polylog(A), N=A, and P=. 


5.4. Security of the transformed scheme 

The encryption key of €* contains a hint about the secret p. 
But we can prove that €* is semantically secure, unless either 
it is easy to break the semantic security of ¢ (which implies 
that the approximate gcd problem is easy), or the following 
sparse (or low-weight) subset sum problem (SSSP) is easy: 
given a set of 8 numbers y and another number s, find the 
sparse (a@-element) subset of ¥’ whose sum is s. 

The SSSP has been studied before in connection with 
server-aided cryptosystems. If wand Pare set appropriately, 
the SSSP is a hard problem, as far as we know. In particular, 
if we set a to be about A, it is hard to find the sparse subset 


| by “brute force,” since there are (4) ~ B* possibilities. If the 


sparse subset sum is much closer to 1/p than any other sub- 
set sum, the problem yields to a lattice attack. But these 
attacks fail when we set f large enough (but still polynomial 
in A) so that an exponential (in 4) number of subset sums are 
as close to 1/p as the sparse subset. Concretely, we can set 
B=2>- polylog(A). 


6. CONCLUSIONS 

We now know that FHE is possible. We already have the 
scheme presented here, the lattice-based scheme by 
Gentry,”* and a recent scheme by Smart and Vercauteren.’ 

There is still work to be done toward making FHE truly 
practical. Currently, all known FHE schemes follow the blue- 
print above: construct a bootstrappable somewhat homo- 
morphic encryption scheme ¢é, and obtain FHE by running 
Evaluate, on é’s decryption function. But this approach is 
computationally expensive. Not only is the decryption func- 
tion expressed (somewhat inefficiently) as a circuit, but then 
Evaluate, replaces each bit in this circuit with a large cipher- 
text that encrypts that bit. Perhaps someone will find a more 
efficient blueprint. 

The scheme presented here, while conceptually simpler, 
seems to be less efficient than the lattice-based scheme. 
To get 2* security against known attacks—e.g., on the the 
approximate gcd problem—ciphertexts are A° - polylog(A) 
bits, which leads to A+ polylog(A) computation to evalu- 
ate the decryption function. The lattice-based scheme 
with comparable security has i° - polylog(A) computation. 
This is high, but not totally unreasonable. Consider: to 
make RSA 2*-secure against known attacks—in particu- 
lar, against the number field sieve factoring algorithm— 
you need to use an RSA modulus with approximately A° 


bits. Then, RSA decryption involves exponentiation by a | 


d?-bit exponent—i.e., about 4* multiplications. Even if 
one uses fast Fourier multiplication, this exponentiation 
requires i° - polylog(A) computation. Also, unlike RSA, the 
decryption function in our scheme is highly paralleliz- 
able, which may make an enormous difference in some 
implementations. 


7. EPILOGUE 

The morning after her dream, Alice explains her glovebox 
solution to her workers. They are not happy, but they wish 
to remain employed. As the day progresses, it becomes clear 
that the gloveboxes are slowing down the pace of jewelry 
construction considerably. The main problem seems to be 
the thick gloves, which multiply the time needed for each 
assembly step. After a few days of low output, Alice curtails 
her use of the gloveboxes to pieces that contain the most 
valuable diamonds. 

Alice loses her suit against Acme Glovebox Company, 
because, as far as anyone knows in Alice’s parallel world, 
gloves in gloveboxes are always very stiff and stiffen com- 
pletely after moderate use. The old judge explains this to her 
in a patronizing tone. 

But Alice refuses to give up. She hires a handsome young 
glovebox researcher, and tasks him with developing a glove 
flexible enough to permit the nimble assembly of jewels and 
unlocking of boxes, but sturdy enough to prevent the boxes 
from being easily compromised. The researcher, amazed at 
his good fortune, plunges into the problem. 
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Seeing the Tree 


and Much More 


By Pietro Perona 


YOUR PORTABLE PHONE can beat you at 
chess, but can it recognize a horse? 
Bristling with cameras, microphones, 
and other sensors, today’s machines 
are nevertheless essentially deaf and 
blind; they do not have senses to in- 
teract with their environment. In the | 
meantime, vast amounts of valuable 
sensory data is captured, transmitted, 
and inexpensively stored every day. TV 
programs and movies, fMRI scans, 
planetary surveys, footage from secu- 
rity cameras, and digital photographs 
pile up and lie fallow on hard drives 
around the globe. It is all too much 
for humans to organize and access 
by hand. Someone has appropriately 
called this the “data deluge.” Automat- 
ing the process of analyzing sensory | 
data and transforming it into action- 
able information is one of the most 
useful and difficult challenges of mod- 
ern engineering. 

How shall we go about building ma- 
chines that can see, hear, smell, touch? 
Sensory tasks come in all shapes and 
forms: reading books, recognizing 
people, or hitting tennis balls. It is 
expeditious to approach each one as 
a separate problem. However, one re- | 
markable fact about our own senses is | 
they adapt easily to new environments | 
and tasks. Our senses evolved to help 
us navigate and forage among trees, 


rocks, and grass, as well as enable us | * 


to socialize with people. Despite this | 
history, we can train ourselves to read | 
text, to recognize galaxies in telescope | 
images, and to drive fast-moving ve- | 
hicles. Discovering general laws and | 
principles that underlie sensory pro- 
cessing might one day allow us to de- 
sign and build flexible and adaptable 
sensory systems for our machines. 

In the following paper, Torralba, 
Murphy, and Freeman are concerned 
with visual recognition. They explore 
one principle that has general validity: 
the use of context. The authors propose 
an elegant and compelling demonstra- 
tion showing that context is crucial for 


106 COMMUNICATIONS OF THE ACM |= MARCH 2010 


ee 


S, the Forest, 


: 


recognizing an object when the image 
has poor resolution and, as a result, 
the object’s picture is ambiguous. That 
context may be useful in visual recogni- 
tion is rather intuitive. However, to de- 
sign a machine that makes use of con- 
text we must first define what context 
is, exactly how should one measure it, 
and how these measurements may be 
used to recognize objects. 

The context of an object is a rich 
and complex phenomenon, and it is 
not easily defined. The identity of the 
scene (suburban street, kitchen) where 
the object is found could be thought of 
as its context. The identity of the sur- 
faces and objects present in the scene 
(two automobiles, a pedestrian, a fire 
hydrant, a building’s facade), as well 
as the mutual position of such surfaces 


and objects, are also considered con- | 


text. So, too, is the weather, lighting 
conditions, time of day, historical pe- 
riod, and other circumstances. Where 
should one begin? What should one 
measure? One could worry that the en- 
tire problem of vision must be solved 


before one is able to define and com- | 
| pute context. It is not surprising that 
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most researchers to date have side- 
stepped this baffling chicken-and-egg 
issue. 

The authors avoid computing ex- 
plicit scene semantic information. 
They start instead by considering easy- 
to-compute, image-like quantities 
that correlate with context. Inspired 
by what we know about the human vi- 
sual system, they compute statistics of 
the output of wavelet-like linear filters 
applied to the image. These statistics 


| capture some aspects of the visual sta- 


tistics of the scene that, in turn, are 
indicative of its overall nature: for ex- 


_ ample, long and vertical structure in 


a forest, sparse horizontal structure 
in open grassland. Filter statistics are 
thus correlated to scene type. Torral- 
ba, Murphy, and Freeman call the en- 
semble of their measurements “gist,” 
a term used in psychology to denote 
the overall visual meaning of a scene, 
which has been shown to be perceived 
quickly by human observers.'” 

The authors find that, surprisingly, 
their filter-based gist is rather good at 
predicting the number of instances of 


| a given object category that might be 


present in the scene, as well as their 
likely position along the y-axis. Com- 
bining this with information coming 
from object detectors operating inde- 
pendently at each location produces 
an overall score for the presence of an 
object of a given class at location (x; y). 
This is more reliable than using the de- 


| tectors alone. It looks like it is finally 


open season on visual context. ic| 
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Using the Forest to See the 
Trees: Exploiting Context 
for Visual Object Detection 


and Localization 


By A. Torralba, K.P. Murphy, and W.T. Freeman 


Abstract 

Recognizing objects in images is an active area of research 
in computer vision. In the last two decades, there has been 
much progress and there are already object recognition sys- 
tems operating in commercial products. However, most of 
the algorithms for detecting objects perform an exhaustive 


ing local image regions with an object model. That approach 
ignores the semantic structure of scenes and tries to solve 
the recognition problem by brute force. In the real world, 
objects tend to covary with other objects, providing a rich 
collection of contextual associations. These contextual asso- 
ciations can be used to reduce the search space by looking 
only in places in which the object is expected to be; this also 
increases performance, by rejecting patterns that look like 
the target but appear in unlikely places. 

Most modeling attempts so far have defined the context 
of an object in terms of other previously recognized objects. 
The drawback of this approach is that inferring the context 
becomes as difficult as detecting each object. An alternative 
view of context relies on using the entire scene information 
holistically. This approach is algorithmically attractive since 
it dispenses with the need fora prior step of individual object 
recognition. In this paper, we use a probabilistic framework 
for encoding the relationships between context and object 
properties and we show how an integrated system provides 
improved performance. We view this as a significant step 
toward general purpose machine vision systems. 


1. INTRODUCTION 

Visual object detection, such as finding cars and people in 
images, is an important but challenging task. It is impor- 
tant because of its inherent scientific interest (understand- 
ing how to make machines see may shed light on biological 
vision), and because it is useful for many applications, such 
as content-based image retrieval, robotics, etc. It is challeng- 
ing because the appearance of objects can vary a lot from 
instance to instance, and from image to image, due to fac- 
tors such as variation in pose, lighting, style, articulation, 
occlusion, low quality imaging, etc. 


Over the last two decades, much progress has 


been made in visual object detection using machine | 


learning techniques. Most of these approaches rely on 
using supervised learning to train a classifier to dis- 
tinguish between instances of the object class and the 
background. The trained classifier is then applied to 
thousands of small overlapping patches or windows of 


_ each test image, and the locations of the high-confidence 
search across all locations and scales in the image compar- | 


detections are returned. The features computed inside 
each patch are usually the outputs of standard image 
processing operations, such as a histogram of responses 
to Gabor filters at different scales and orientations. 
The classifiers themselves are standard supervised learn- 
ing models such as SVMs, neural networks, or boosted 
decision stumps.” 

This “sliding window classifier” technique has been 
quite successful in certain domains such as detecting cars, 
pedestrians, and faces. Indeed most contemporary digi- 
tal cameras imply such a technique to detect faces, which 
they use to set the auto-focus. Also, some cars now come 
equipped with pedestrian detection systems based on simi- 
lar principles. 

One major problem with the standard approach is that 
even a relatively low false-positive rate per class can be unac- 
ceptable when there are many classes or categories. For 
example, if each detector generates about 1 false alarm every 
10 images, and there are 1000 classes, we will have 100 false 
alarms per image. An additional problem is that running 
every detector on every image can be slow. These are both 
fundamental obstacles to building a general purpose vision 
system. 

One reason for the relatively high false alarm rate of stan- 
dard approaches is that most object detection systems are 
“myopic,” in the sense that they only look at local features 
of the image. One possible remedy is to leverage global fea- 
tures of the image, and to use these to compute the “prior” 
probability that each object category is present, and if so, 
its likely location and scale. Previous work (e.g., Torralba'’) 


An early version of this paper, entitled “Using the for- 
est to see the trees: a graphical model relating features, 
objects and scenes,” was published in Neural Information 
Processing Systems, 2003, MIT Press. Ref. [9]. 
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has shown that simple global image features, known as the 
“gist” of the image, are sufficient to provide robust predic- 
tions about the presence and location of different object 
categories. Such features are fast to compute, and provide 


information that is useful for many classes and locations | 


simultaneously. 

In this paper, which is an extension of our previous 
work,*:*: 7 we present a simple approach for combining stan- 
dard sliding-window object detection systems, which use 
local, “bottom up” image features, with systems that pre- 
dict the presence and location of object categories based 
on global, or “top-down,” image features. These global fea- 


tures serve to define the context in which the object detec- | 


tion is happening. The importance of context is illustrated 


in Figure 1, which shows that the same black “blob,” when | 


placed in different surroundings, can be interpreted as a 
plate or bottle on the table, a cell phone, a pedestrian or car, 
or even a shoe. Another example is shown in Figure 2: it is 
easy to infer that there is very probably a computer monitor 
behind the blacked out region of the image. 

We are not the first to point out the importance of con- 
text in computer vision. For example, Strat and Fischler 
emphasized its importance in their 1991 paper.'® However, 
there are two key differences between our approach and 
previous work. First, in early work, such as’® the systems 
consist of hand-engineered if-then rules, whereas more 
recent systems rely on statistical models that are fit to data. 
Second, most other approaches define the context in terms 
of other objects® '* ''8; but this introduces a chicken-and- 


Figure 1. In presence of image degradation (e.g., blur), object 
recognition is strongly influenced by contextual information. The 
visual system makes assumptions regarding object identities based 
on its size and location in the scene. In these images, the same black 
blob can be interpreted as a plate, bottle, cell phone, car, pedestrian, 
or shoe, depending on the context. (Each circled blob has identical 
pixels, but in some cases has been rotated.) 
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Figure 2. What is hidden behind the mask? In this example, context 
is so strong that one can reliably infer that the hidden object is a 
computer monitor. 


egg problem: to detect an object of type 1 you first have to 
detect an object of type 2. By contrast, we propose a hierar- 
chical approach, in which we define the context in terms of 
an overall scene category. This can be reliably inferred using 
global images features. Conditioned on the scene category, 
we assume that objects are independent. While not strictly 
true, this results in a simple yet effective approach, as we will 
show below. 

In the following sections, we describe the different com- 


| ponents of our model. We will start by showing how we can 


represent contextual information without using objects as 
an intermediate representation. Then we will show how that 
representation can be integrated with an object detector. 


2. GLOBAL IMAGE FEATURES: THE GIST OF AN IMAGE 

In the same way that an object can be recognized without 
decomposing it into a set of nameable parts (e.g., the most 
successful face detectors do not try to detect the eyes and 
mouth first, instead they search for less semantically mean- 
ingful features), scenes can also be recognized without nec- 
essarily decomposing them into objects. The advantage of 
this is that it provides an additional source of information 
that can be used to provide contextual information for object 
recognition. As suggested in Oliva and Schyns and Oliva and 
Torralba,'*'' itis possible to build a global representation of 
the scene that bypasses object identities, in which the scene 
is represented as a single entity. Recent work in computer 


| vision has highlighted the importance of global scene repre- 


sentations for scene recognition'”"' and as a source of con- 
textual information.* ° '’ These representations are based 
on computing statistics of low level features (similar to rep- 
resentations available in early visual areas such as oriented 
edges, vector quantized image patches, etc.) over fixed image 
regions. One example of a global image representation is the 


gist descriptor.'! The gist descriptor is a vector of features g, 
where each individual feature g, is computed as 


£. = >_w, (x,y) x [1x y) @ hy (x,y) 


xy 


(1) 


where © denotes image convolution and x is a pixel-wise 
multiplication. /(x, y) is the luminance channel of the input 


image, h,(x, y) is a filter from a bank of multiscale-oriented | 


Gabor filters (six orientations and four scales), and w,(x, y) is 
a spatial window that will compute the average output energy 
of each filter at different image locations. The windows 
w,(x, y) divide the image in a grid of 4 x 4 nonoverlapping 
windows. This results in a descriptor with a dimensionality 
of 4x 4x 6x 4=384. 

Figure 3 illustrates the amount of information preserved 
by the gist descriptor. The middle column shows the average 
of the output magnitude of the multiscale-oriented filters on 
a polar plot (note that the orientation of each plot is ortho- 
gonal to the direction of the edges in the image). The aver- 
age response of each filter is computed locally by splitting 
the image into 4 x 4 windows. Each different scale is color 
coded (red for high spatial frequencies, and blue for the low 
spatial frequencies), and the intensity is proportional to 
the energy for each filter output. In order to illustrate the 
amount of information preserved by this representation, 
the right column of Figure 3 shows noise images that are 
coerced to have the same gist features as the target image, 
using the texture synthesis method of Heeger and Bergen.’ 
As shown in Figure 3, the gist descriptor provides a coarse 
description of the textures present in the image and their 
spatial organization. The gist descriptor preserves relevant 


Figure 3. This figure illustrates the information encoded by the gist 
features for three different images. See text for details. 


information needed for categorizing scenes into categories 
(e.g., classifying an image as being a beach scene, a street 
or a living-room). As reported in Quattoni and Torralba,” 
when trying to discriminate across 15 different scene cat- 
egories, the gist descriptor classifies correctly 75% of the 
images. Recognizing the scene depicted by a picture is an 
important task on its own, but in addition it can be used 
to provide strong contextual priors as we will discuss in the 
next section. 


3. JOINT SCENE CLASSIFICATION AND OBJECT 
DETECTION 

In this section, we describe our approach in more detail. 
In Section 3.1, we briefly describe the standard approach 
to object detection and localization using local features. In 
Sections 3.3 and 3.2 we describe how to use global features 
for object localization and detection respectively. In Section 
3.4 we discuss how to integrate these local and global fea- 
tures. A comparison of the performance of local and global 
features is deferred until Section 4. 


3.1. Object presence detection and localization 
using local features 
In our previous paper,’ we considered detecting four differ- 
ent types or classes of objects: cars, people, keyboards, and 
screens (computer monitors). In this paper, we will mostly 
focus on cars, for brevity. We use a subset of the LabelMe 
dataset'':' for training and testing (details are in Section 4). 
There are two tasks that we want to address: object pres- 
ence detection (where the goal is to predict if the object 
is present or absent in the image, i.e., to answer the ques- 
tion: is there any car in this image?) and object localization 
(where the goal is to precisely locate all the instances of an 
object class within each image). Solving the object presence 
detection task can be done even if the object localization is 


not accurate. 


We can formalize the object presence detection and local- 
ization problem as follows. Let P’= 1 if one or more objects of 
type tare present anywhere in the image, and P‘=0 otherwise. 
The goal of object presence detection is to estimate the prob- 


| ability p(P‘ = 1|), where J is the image. Later we will general- 


ize this slightly by trying to estimate the number of instances 
of the object class that might be present, p(N'|J), where 
N‘e {0, 1, 2, 3-5, 5-10, >10}. We call this object counting. 
The goal of object localization is to specify the location 
and size of each of the object instances. More precisely, let 
O! be a binary random variable representing whether image 
patch i contains an object of type ¢ or not, fori € {1,..., N}, 
where N ~ 1000 is the number of image patches. (The size 
and shape of the image patches varies according to the object 
type; for side views of cars, we use patches of size 30 x 80; to 
handle cars of different sizes, we apply the technique to mul- 
tiple versions of the image at different scales.) One way to 
perform localization is to compute the log-likelihood ratio 


c;=log p(f;|0; =1)/p(f;10; = 0), (2) 


for each 7 and ¢, and then to return all the locations where 
this log likelihood ratio is above some threshold. Here f/ is 
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a set of local features extracted from image / at patch 7 for | 
class t. The details of the features and classifier that we used 
can be found in Torralba et al.!” | 

For simplicity, in this paper, we select the D most confi- 
dent detections (after performing local nonmaximum sup- 
pression); let their locations be denoted by /’, fori € {1,...,D}. 
Figure 6a gives an illustration of the output ore sytem on | 
a typical image. For the results in this paper, we set D = 10 
so that no correct detections are discarded and still small 
enough to be efficient. In the figure we show the top D = 4 
detections to avoid clutter. The locations of each detection / 
are indicated by the position and scale of the box, and their | 
confidences c} are indicated by the thickness of the bor- 
der. In Figure 6b (top), we see that although the system has 
detected the car, it has also detected three false positives. 
This is fairly typical of this kind of approach. Below we will 
see how to eliminate many of these false positives by using 
global context. 


3.2. Object presence detection using global image 
features 
To determine if an object class is present in an image given 
the gist, we could directly learn a binary classifier of the 
form p(P' = 1|g). Similarly, to predict the number of objects, 
we could learn an ordinal regression function of the form 
p(N'|g). Instead, we choose a two-step approach in which we 
first estimate the category or type of scene, p(S=s|g), and then 
use this to predict the number of objects present, p(N'|S = s). 
This approach has the benefit of having an explicit represen- 
tation of the scene category (e.g., a street, a highway, a forest) 
which is also an important desired output of an integrated 
model. 
We can classify the scene using a simple Parzen-window 
based density estimator 


_. 
P(S=s1g) = PlelS =) => Nelo, 090. 


J=1 


where J is the number of mixture components for each class 


| conditional density. Some examples of scene classification 


are shown in Figure 4. As shown in Quattoni and Torralba,”” 
this technique classifies 75% of the images correctly across 
15 different scene categories. Other classifiers give similar 
performance. 

Once we have estimated the scene category, we can pre- 
dict the number of objects that are present using 


P(N =n|g)=>° p(N‘ =n|S =s)p(S =s|g) (3) 


| where p(N‘ = n|S = s) is estimated by simple counting. 


3.3. Object localization using global image features 

The gist captures the overall spatial layout of the image, and 
hence can be used to predict the expected vertical location of 
each object class before running any detectors; we call this 


| location priming. However, the gist is not useful for predict- 


ing the horizontal locations of objects, which are usually not 
very constrained by the overall structure of the scene (except 
possibly by the horizontal location of other objects, a pos- 
sibility we ignore in this paper). 

We can use any nonlinear regression function to learn the 
mapping from gist to expected vertical location. We used a 
mixture of experts model,‘ which is a simple weighted average 
of locally linear regression models. More precisely, we define 


PY'|g) = iw (QV W'| Bi g,07) 
k=1 


Figure 4. Predicting the presence/absence of cars in images and their locations using gist. The outputs shown here do not incorporate any 
information coming from a car detector and are only based on context. Note that in the dataset used to fit the distributions of object counts 
for each scene category, it is more common to find cars in street scenes (with many cars circulating and parked) than in highway scenes, 
0) = 0.6. 


where there are many shots of empty roads. Hence the histogram for highway shows p(N° = 
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where Y‘ is the vertical location of class t, K is the number of 
experts or mixture components, V represents a Gaussian or 
normal distribution, f, are the regression weights for mix- 
ture component k, o; is the residual variance, and w,(g) is the 
weight or “responsibility” of expert k, given by the softmax or 
multinomial logistic function: 


exp(v; 2) 


LS 
= De exP(reg) 

We illustrate the predictions made by this model in 
Figure 6b, where we scale the intensity of each image pixel 
by the probability density function p(Y‘|g). We see that the 
effect is to “mask out” regions of the image which are unlikely 
to contain the object of interest. Some more examples can 
be seen in Figure 4. 


3.4. Integrated model 

We now discuss how to combine the various pieces described 
above. The basic idea is to use the global features to make 
“top-down” predictions about how many object instances 
should be present, and where, and then to use the local 
patch classifiers to provide “bottom-up” signals. 

The key issue is how to combine these two information 
sources. The approach we take is as follows (this differs 
slightly from the method originally described in Murphy 
et al.°). Let us initially ignore location information. We 
treat the confidence score of the detector (c/, defined in 
Equation 2) as a local likelihood term, and fit a model of the 
form p(c!|Of = 0) = N(c!|u', 0!) for o € {0, 1}. We can learn 
the parameters of this Gaussian by computing the empirical 
mean and variance of the scores when the detector is applied 
to a set of patches which do contain the object (so 0 = 1) and 


which do not contain the object (so o = 0). If we have a uni- | 


form prior over whether each detection is a true or false 


positive, p(O! = 1) = 0.5, we can compute the posterior using © 
| a joint distribution of the form p(P’, ..., 


Bayes rule as follows: 


t t 

p(Of =1fef)=— Palo = —_— 
P(c;|O; =1)+ p(c;|O; = 0) 
However, the detections are not all independent, since we 
have the constraint that N‘ =>, I(O; =1), where N° is the 
number of objects of type ¢. If we have top-down informa- 
tion about N' from the gist, based on Equation 3, then we can 
compute the posterior distribution over detections in O(2”) 
time, given the gist, as follows: 


P(O%-plg)%  POtn|n)p(N' = ng) 


n=0 


Here the term p(O%,,,|7) is 1 only if the bit vector Of, of length 
D has precisely n elements turned on. For compactness, we 
use the notation 1: D to denote the indices 1, ..., 
combine this with the local detectors as follows: 


D 
PO [Cin 8) © PCOtn |S] [ v(c 10!) 


i=1 


D. We can 


If the gist strongly suggests that the object class is absent, 
then p(M' = 0|g)* 1, so we turn all the object bits off in the pos- 
terior regardless of the detector scores, p(O;,, =0|c¢),,g) ¥1. 
If the gist strongly indicates that one object is present, then 
P(N = 1|g) 1, and only one O' bit will be turned on in the pos- 
terior; this will be the one with the highest detector score. 


| And so on. 


Now we discuss how to integrate location information. 
Let / be the location of the ?’th detection for class ¢. Since 


| Y‘represents the expected location of an object of class t, we 
| define another local likelihood term p(/ |O!= 


LIME, ©), 
where T° is the variance around the predicted location. 
If the object is absent, we use a uniform distribution 
pli|O!= 0, ¥‘) « 1. Of course, Y' is not observed directly, but 
we can predict it based on the gist; this yields 


pte |0f,8)= | ple; |01,¥,) py, | say, 


which can be solved in closed form, since it is the convolu- 
tion of two Gaussians. We can now combine expected loca- 
tion and detections as follows: 


POL» leboslioo8)* Pin |e) Le |O;) p(Z; |O!,g) 


To see the effect of this, suppose that the gist strongly sug- 
gests that only one object of type ¢ is present, p(N‘ = 1|g) ~ 1; 
in this case, the object bit which is turned on will be the one 
that has the highest score and which is in the most likely 
location. Thus confident detections in improbable locations 
are suppressed; similarly, unconfident detections in likely 
locations are boosted. 

Finally, we discuss how to combine multiple types of 
objects. Intuitively, the presence ofa car makes the presence 
of a pedestrian more likely, but the presence of a computer 
monitor less likely. However, it is impractical to encode 
P") directly, since 
this would require O(2") parameters. (Encoding p(N', ..., N’) 
directly would be even worse.) Instead, we introduce the 
scene category latent variable S, and assume that the pres- 
ence (and number) of object types is conditionally indepen- 
dent given the scene category: 


pP(N’,....N7)= > p(S=s)] | p(n‘ |S=s) 


Given this assumption, we can perform inference for multi- 
ple object types in parallel as follows: for each possible scene 
category, compute the posterior p(Of, “alee Epi Lepeas = SILAS 
described above, and then combine them using a weighted 
average with p(S = s|g) as the weights. 

In summary, our whole model is the following joint prob- 
ability distribution: 


POOL NY" S| Cro slior 8) & PCS | 8) x 


[10 |g) p(N‘ |S) p(O%, |N, TL |0,,¥")p(c! |O,) 


i=1 
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This is illustrated as a probabilistic graphical model (see | 
e.g., Koller and Friedman’) in Figure 5. There is one node | 
for each random variable: the shaded nodes are observed | 


(these are deterministic functions of the image), and the 
unshaded nodes are hidden or unknown, and need to be 
inferred. There is a directed edge into each node from all 
the variables it directly depends on. For example, the g > § 
are reflects the scene classifier; the g > Y' arc reflects the 
location priming based on the gist; the S > NM arc reflects 
the object counts given the scene category; the O/ > c! arc 
reflects the fact that the presence or absence of an object 
of type t in patch i affects the detector score or confidence 
ci; the Of — ¢! arc is a deterministic link encoding of the 
location of patch 7; the Y‘—> /' arc reflects the p(/|Y', O') 
term; finally, there are the Of > X‘ and N > Y‘ arcs, which is 
simply a trick for enforcing the N‘ = =? 1(Of= 1) constraint. 
The >‘ node is adummy node used to enforce the constraint 
between the N‘ nodes and the O! nodes. Specifically, it is 
“clamped” to a fixed state, and we then define p(=‘|O%,,, 
N‘=n)=Z(2,O/ =n) (conditional on the observed child 2°, all 
the parent nodes, N‘ and O/, become correlated due to the 
“explaining away” phenomenon’). 

From Figure 5, it is clear that by conditioning on $, we 
can perform inference on each type of object independently 
in parallel. The time complexity for exact inference in this 
model is O(ST2”), ignoring the cost of running the detec- 
tors. (Techniques for quickly evaluating detectors on large 
images, using cascades of features, are discussed in Viola 


and Jones”.) We can speed up inference in several ways. For 


example, we can prune out improbable object categories 
(and not run their detectors) if p(N' > 0|g) is too low, which 
is very effective since g is fast to compute. Of the categories 
that survive, we can just run their detectors in the primed 
region, near E(¥'|g). This will reduce the number of detec- 
tions D per category. Finally, if necessary, we can use Monte 
Carlo inference (such as Gibbs sampling) in the resulting 
pruned graphical model to reduce time complexity. 


4. RESULTS 
Examples of the integrated system in action are shown in 
Figure 6c: We see that location priming, based on the gist, 
has down-weighted the scores of the detections in improb- 
able locations, thus eliminating false positives. In the sec- 
ond row, the local detector is able to produce a confident 
detection, but the second car produces a low confidence 
detection. As the low confident detection falls inside the 
predicted region, the confidence of the detection increases. 
Note that in this example there are two false alarms that 
happen to also fall within the prediction region. In this case, 
the overall system will increase the magnitude of the error. 
If the detector produces errors that are contextually correct, 
the integrated model will not be able to discard those. The 
third row shows a different example of failure of the inte- 
grated model. In this case, the structure of the scene makes 
the system think that this is a street scene, and then mixes 
the boats with cars. Despite these sources of errors, the per- 
formances of the integrated system are substantially better 
than the performances of the car detectors in isolation. 

For a more quantitative study of the performance of 
our method, we used the scenes dataset from Oliva and 
Torralba'' consisting of 2688 images covering 8 scene catego- 
ries (streets, building facades, skyscrapers, highways, moun- 
tainous landscapes, coast, beach, and fields). We use half of 
the dataset to train the models and the other half for testing. 

Figure 7 shows performances at two tasks: object local- 
ization and object presence detection. The plots correspond 
to precision-recall plots: the horizontal axis denotes the 
percentage of cars in the database that have been detected 
for a particular detection threshold and the vertical axis is 
the percentage of correct detections for the same threshold. 
Different points in the graph are achieved by varying the deci- 
sion threshold. For both tasks, the plot shows the perfor- 
mances using an object detector alone, the performances of 
the integrated model, and the performance of an integrated 
model with an oracle that tells for each image the true context. 


Figure 5. Integrated system represented as a directed graphical model. We show two object types, t and t', for simplicity. The observed 
variables are shaded circles, the unknown variables are clear circles. Variables are defined in the text. The >! node is a dummy node used 

to enforce the constraint between the N' nodes and the O' nodes. Of= indicator of presence of object class t in box i; Y' = vertical location of 
object class t; N'= number of instances of object class t; U'= location of box i for object class t; cj= score of box i for object class i; D = number 


of high-confidence detections; g = gist descriptor; S = scene category. 


O! —Indicator of presence of object class t in box i 
y'—Vertical Location of object class t 
N‘'—Number of instances of object class t 

ve —Location of box i for object class t 

ct —Score of box i for object class t 

D—Number of high-confidence detections 

g —Gist descriptor 


S—Scene category 
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Figure 6. (a) Three input images. (b) Top four detections from an object detector based on local features. The thickness of the boxes is related 
to the confidence of the detection. (c) Predicted location of the car based on global features. (d) Combining local and global features. 


(a) Input image (b) Car detector output 


The performance of the integrated model has to be within the 
performance of the detector alone and the context oracle. 
Figure 7 (right) shows a precision-recall curve which quan- 
tifies the performance of three different systems for detecting 
object presence. The worst one is based on an object detector 
using local features alone; the middle one is our integrated 
system which uses local and global features; and the best one 
is an oracle system based on using the true scene category 
label. We see that our integrated model does much better 
than just using a detector, but it is clear that better scene clas- 
sification would improve the results further. It is important to 
note that detecting if an object is present in an image can be 
done with good accuracy even without object localization. The 
knowledge of the scene depicted by the image can be enough. 
For instance, in a picture of a street it is quite certain that a 
car will appear in the picture, while it is unlikely that a car will 
appear on a beach scene. Therefore, the relation between the 
scene category and the object can provide a lot of information 
even when the detector fails to locate the object in the image. 
Figure 7 (left) shows a precision-recall curve which quan- 
tifies the performance of three different systems for local- 
izing objects. Again the worst one is based on an object 


(c) Location priming (d) Integrated model output 


detector using local features alone; the middle one is our 
integrated system which uses local and global features; and 
the best one is a oracle system based on using the true scene 
category label. In this case, knowing the true scene cate- 
gory does not help as much: it can eliminate false positives 
such as cars in indoor scenes, but it cannot eliminate false 


Figure 7. Performance on car localization (left) and car presence 
detection (right). 
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positives such as cars detected in a street scene but up in the 
sky. (Of course, the gist-based location priming system tries 
to eliminate such spatial outliers, but knowing the scene 
category label does not help with localization.) 

Object localization is a much harder task than merely 
detecting the presence of an object. This is evident from the 
horizontal scale in Figure 7 (left): the recall never goes beyond 
about 30%, meaning that about 70% of cars are missed by 
the detector, mostly due to occlusion. Even if context can be 
used to narrow down the search space and to remove false 
alarms that occur outside the relevant image region, still, if 
the detector is not able to localize the object, context informa- 
tion will not be able to precisely localize the object. The use 
of global context (even with the oracle) does not increase the 
recall (as this requires the detector to work), however context 
is able to increase the precision as it is able to remove false 
alarms in scenes in which cars are not expected. It is possible 
that a finer grained notion of context, perhaps based on other 
objects, could help in such cases. Note, however, that for 
image retrieval applications (e.g., on the web), object presence 
detection is sufficient. For speed reasons, we could adopt the 
following two stage approach: first select images that are pre- 
dicted to contain the object based on the gist alone, since this 
is much faster than applying a sliding window classifier; then 
apply the integrated model to further reduce false positives. 


5. CONCLUSION 

We have discussed one approach for combining local and 
global features in visual object detection and localization. 
Of course, the system is not perfect. For example, sometimes 
objects appear out of context and may be accidently elimi- 
nated if the local evidence is ambiguous (see Figure 8). The 
only way to prevent this is if the local detector gives a suffi- 
ciently strong bottom-up signal. Conversely, if the detector 
makes a false-positive error in a contextually plausible loca- 
tion, it will not be ruled out by our system. But even people 
can also suffer from such “hallucinations.” 

In more general terms, we see our system as a good exam- 
ple of probabilistic information fusion, an approach which 
is widely used in other areas such as speech recognition, 
which combines local acoustic models which longer-range 
language models. Since computer vision is inherently a dif- 
ficult inverse problem, we believe it will be necessary to com- 
bine as many sources of evidence as possible when trying to 
infer the true underlying scene structure. 


MRE LT EST a SERS SEI LE BIRR EPID ED EE SIMS DLE LEELA EDEL 
Figure 8. An object which is out of context may be falsely eliminated 


by our system. 
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NEC Laboratories America, Inc. 
Research Staff Member - Grid Storage 


NEC Laboratories America, Inc. is seeking re- 
searchers who are passionate about solving real 
world problems to join our Grid Storage Depart- 
ment in Princeton, NJ. The department engages 
in storage research with a focus on networked 
storage. To qualify for the position, candidates 
must have: 

> PhD in Computer Science (or equivalent), with 
a strong publication record 

> Experience with storage systems (file systems, 
object or content based storage systems, data- 
bases) 

> Experience in designing, building, and evaluat- 
ing distributed systems and protocols 

> Knowledge of fault tolerance and availability tech- 
niques for local and wide area networked systems 

> Excellent verbal and written communication 
skills 


Candidates must be proactive and assume 
leadership in proposing and executing innova- 
tive research projects, as well as in developing 
advanced prototypes leading to demonstration in 
an industry environment. 

Experience in Cloud Computing or SaaS is a 
plus. 

For more information, visit http://www.nec- 
labs.com/careers/. For consideration, please for- 
ward résumé to recruit@nec-labs.com and refer- 
ence “Grid Storage” in the subject line. 
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North Carolina Central University 
Computer Science Faculty Position 


The Department of Mathematics and Computer 
Science invites applications for tenure-track fac- 
ulty positions in all areas beginning Fall 2010. 
A Ph.D. in computer science or related area is 
required. The successful candidate must have a 
commitment to the academic process, excellence 
in research, education, and service, and to diver- 
sity in the community. The candidate must have 
a desire to participate in student academic and 
thesis advising, and curriculum development. 
We are particularly interested in candidates with 
research interests in artificial intelligence, com- 
puter vision, computer graphics, grid comput- 
ing, robotics, computational biology, software 
engineering, multimedia applications, networks, 
mobile computing, wireless sensor networks and 
security/cryptography. 

The campus is located in the Research Trian- 
gle Area, an ideal location in NC with several uni- 
versities and high-tech companies. Applications 
and inquiries should be sent to ruma@nccu.edu. 
Further information can be found at: http://boole. 
cs.necu.edu/emp2010/employment.html 

Departmental resources include extensive 
computing facilities of workstations, servers and 
personal computers with multimedia capabilities 
and specialized networks and devices. Faculty 
members have access to high performance com- 
puting platforms provided by the university and 
its partners. 


Sandia National Laboratories 

Math & CS Research 

Discrete Math and Computer Science R&D for 
Social and Computer Network Analysis 


Sandia National Laboratories seeks new PhD re- 
searchers for long-term positions in mathematics 
and computer science for understanding large- 
scale, complex, social and engineered networks. 
Of particular interest are experts in computation- 
al topology, graph-feature identification, commu- 
nity detection, statistics, machine learning, com- 
putational linguistics, and uncertainty. 

PhD in CS, math, statistics, or equivalent is 
required. Publications, software, and applica- 
tion experience is desired. The position involves 
national security applications; the ability to ob- 
tain and maintain a U.S. security clearance is re- 
quired. 

Apply at http://www.sandia.gov/careers to Job 
ID 64380 before 3 April 2010. 

See http://www.cs.sandia.gov/hpc-informat- 
ics/careers/index.htm or contact Brett Bader (bw- 
bader@sandia.gov) for details. Sandia National 
Laboratories is an Equal Opportunity Employer 
M/F/D/V. 


Strategic Analysis Enterprises 
Software Engineer 


Seek full-time software engineer to support and 
extend a text information extraction system and 
perform other programming tasks. Salary is com- 
mensurate with qualifications. SAE provides 
health & dental insurance, 401k plan, profit shar- 
ing, and bonus earning possibilities to its em- 
ployees. 

Master’s or doctorate in computer science 
or computational linguistics, ability to program 
in C# and build a good Windows user interface 
(Java programmers who can switch to C# will be 
considered). Desirable: knowledge of pragmat- 
ics and English lexical semantics; Python and/or 
Perl; statistical research methods. US citizenship 
is mandatory. 

Apply for this job: 
sisenterprises.com 


steve@strategicanaly- 


The University of Tennessee 
at Chattanooga 
Assistant/Associate Professor 


UTC invites applications for a full-time, tenure 
track appointment in Computer Science and 
Engineering, beginning July 1, 2010. The depart- 
ment seeks applicants with a Ph.D. in Computer 
Science or Computer Engineering, and a com- 
mitment to excellence in teaching and research. 
The successful candidate will have experience in 
teaching a broad spectrum of computer related 


courses, and will have experience/interest in in- 
terdisciplinary teaching and research, with a par- 
ticular emphasis on theoretical aspects of Com- 
puter Science. The CSE department (www.cs.ute. 
edu), part of the College of Engineering and Com- 
puter Science, offers an ABET accredited B.S. de- 
gree, a M.S. degree, and has received certification 
by the CNSS, NSA, and DHA as a National Center 
of Academic Excellence in Information Assur- 
ance Education. The College is also home to the 
SimCenter and its graduate programs (MS/Ph.D.) 
in Computational Engineering. 

To apply, please e-mail in Word or pdf format 
an application letter, resume and descriptions of 
teaching and research philosophies to Dr. Claire 
McCullough, Claire-McCullough@utc.edu. Also, 
please arrange for 3 letters of recommendation 
and a copy of your transcript listing the comple- 
tion of your doctoral degree to: 


Faculty Search Committee 

Computer Science, Dept. 2302 

The University of Tennessee at Chattanooga 
735 Vine Street 

Chattanooga, TN 37403-2598 


Screening of applicants who have provided 
complete information will begin immediately 
and continue until the position is filled. The Uni- 
versity of Tennessee at Chattanooga is an equal 
employment opportunity/affirmative action/Title 
VI & IX/Section 504 ADA/ADEA institution, and, 
as such, encourages the application of qualified 


| women and minorities. 


aw Windows 


of operating systems. 


Windows Kernel Source and Curriculum Materials for 
Academic Teaching and Research. 


The Windowsw Academic Program from Microsofts provides the materials you 
need to integrate Windows kernel technology into the teaching and research 


The program includes: 


in user-mode. 


Windows Research Kernel (WRK): Sources to build and experiment with a 
fully-functional version of the Windows kernel for x86 and x64 platforms, as 
well as the original design documents for Windows NT. 


Curriculum Resource Kit (CRK): PowerPointe slides presenting the details 
of the design and implementation of the Windows kernel, following the 
ACM/IEEE-CS OS Body of Knowledge, and including labs, exercises, quiz 
questions, and links to the relevant sources. 


ProjectOZ: An OS project environment based on the SPACE kernel-less OS 
project at UC Santa Barbara, allowing students to develop OS kernel projects 


These materials are available at no cost, but only for non-commercial use by universities. 


For more information, visit www.microsoft.com/WindowsAcademic 
or e-mail compsci@microsoft.com. 
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Solutions and Sources 


Last month (February 2010, p. 120) we posted a trio of brainteasers, 
including one as yet unsolved, concerning the breaking of a bar of chocolate. 


| Making S’Mores. 

a Solution. Charlie was able to 
break a five-by-nine-square-segment | 
rectangular bar into its constituent 
squares using 44 breaks along its 
seams. But could he have done better? 
If you tried it yourself, you might con- 
clude that he could not have done bet- | 
ter, but also that he couldn’t have done 
worse. Indeed, breaking only one piece 
at a time, Charlie is foreordained to 
make exactly 44 breaks. 

Very smart people have been 
stumped by this puzzle, only to slap 
themselves on the forehead when they 
realized that every break increases the 
number of pieces of chocolate by one. 
Since there are 45 squares, there must 
be 44 breaks, no matter how they did 
it. In general, of course, given an m by 
n chocolate bar, the conclusion is that 
the required number of breaks is al- 
ways mn —1. 


? Playing Chomp. 

a Solution. Charlie’s children, 
Alice and Bobby, play a game called 
Chomp in which they alternate eating 
a square together with every square 
northeast of the first square, trying to 
avoid eating the last square. 

The game was invented (in a dif- 
ferent form) in 1952 by Dutch math- 
ematician Frederik “Fred” Schuh and 
independently in 1974 by the late 
mathematician and economist David 
Gale. The name “Chomp” was coined 
by an amateur mathematician, the 
great puzzle maven Martin Gardner. 
The proof that Alice can force a win is a 
classic strategy-stealing argument that 
goes like this: First, since the game is 
deterministic, full-information, and 


bounded in length, someone must have | 


a winning strategy. Assume it’s Bobby, 
and let square X be his winning reply 
to Alice’s first move of biting off only 
the northeast corner square. But Alice 


_ could instead have begun by taking X 


(and everything northeast of X) on her 
first move, later adopting Bobby’s win- 
ning strategy. 

This contradiction shows it must 
have been Alice, not Bobby, who had 
the winning strategy. 


All readers are encouraged to submit prospective puzzles for future columns to puzzled@cacm.acm.org. 


Peter Winkler (puzzled@cacm.acm.org) is Professor of Mathematics and of Computer Science and Albert Bradley Third 
Century Professor in the Sciences at Dartmouth College, Hanover, NH. 
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3 Alice’s Winning Strategy. 

w This proof works for any m by 
n chocolate bar (as long as it has more 
than one square) but fails to reveal 
what Alice’s winning strategy actually 
is. Subsequent work (such as at http:// 


| www.math.rutgers.edu/” zeilberg/ma- 


marim/mamarimhtml/chomp.html) 
has solved the three-row game, but 
still no one knows how Alice is able to 
win the game in general. Indeed, there 
may not be a general strategy that can 
be described in a simple way. 

But, hey, you never know. The 
game Bridg-It, also invented by Gale 
and publicized by Gardner, had the 
same curious property: It could be 
proved that the first player had a win- 
ning strategy, though no such strategy 
is known. It was later produced and 
sold commercially as a board game by 
game publisher Hasbro. Mathemati- 
cian Oliver Gross of the Rand Corpo- 
ration then came up with an elegant 
winning strategy. Explore the game 
and that remarkable strategy at http:// 
home.flash.net/~ markthom/html/ 
bridg-it.html. 

So maybe Chomp has an elegant 
winning strategy after all. Meanwhile, 
if you find one, please tell the rest of us. 


[CONTINUED FROM P. 120] be grafted 
onto our instincts and drilled into 
our minds. It’s just a set of guerilla 
tactics for the lawless byways and 
ramshackle security of the Internet. 
Consider the warning about giving 
away our passwords. Are you “giv- 


it promises not to store it—as social 
networking sites often do? Are we 
even aware that we’re giving it away 
if a Trojan (infected software) on our 
computer pops up an apparently per- 
fect but fake Web page for our online 
banks? Other planks of cybersecurity 
education are equally flimsy. 

Online privacy is another arena in 
which human instinct is foundering. 
Drawing a curtain over a window at 
night offers a concrete, intuitive form 
of privacy (and doesn’t require agree- 
ment to a thousand-word privacy 


policy). Online privacy is a different | 


matter. Suppose the average user— 
or savvy one, for that matter—could 
digest online privacy policies. Sup- 
pose the policy was simply “you own 
your data,” a widely favored nostrum. 
It is still well beyond any person’s 


OEE aR i a BE 
Cybersecurity 


| education often fails 


because it doesn’t 


| teach fundamental 


ing it away” if the site that requests | 


principles that 
can be grafted onto 
our instincts. 


mental capacity today to understand 


| what data this person owns and how 


to go about controlling it. When, for 
instance, photos of our face seep into 
search engines, friends’ online con- 


tent, archived Webcam images, and | 


digital photo albums of sightseers in 
cities we’ve visited, what does owner- 
ship or control mean? 

The poster children for the future 
of computer security are often intel- 


Take Advantage of 
ACM's Lifetime Membership Plan! 


last byte 


lectually flashy inventions, such as, 
say, quantum cryptography. These 
technological showpieces create 
trustworthy connections between 
machines (sometimes) but not trust- 


| worthy connections between people— 


| the source of the real challenge. 


The Romans adjusted to a new ma- 
terial world. Today, we’re mentally 
capable of translating numbers on 
computer screens into a measure of 
wealth, then into bread and circuses, 
houses, clothes, and cars. Human 
instinct lags in most of the places 
where cyberspace is swelling and 
ramifying. A future of informed and 
secure choice demands tools—tech- 
nological, educational, policy-orient- 
ed—that project cyberspace down to 
the scale of human instinct and intel- 
ligence. If not, we might wind up as 
stupefied as an early Roman staring 
at a chunk of bronze. 


Ari Juels (arijuels@rsa,com) is chief scientist and 
director of RSA Laboratories, Cambridge, MA, and author 
of the novel Tetraktys, Emerald Bay Books, Newport 
Coast, CA, 2009. 
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Future Tense, one of the revolving features on this page, presents stories and 


the 


essays from t 


their boundaries limited only by our ability to imagine what will and could be. 
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Future Tens 


The Primal Cue 


Cybersecurity depends on the human dimension. 


ANY CENTURIES AGO, a 
mystified Roman farm- 
er held a bronze ingot 
crudely imprinted with 
a cow. He was handling 

an early form of currency that sup- 


planted a true cow—a life-sustaining, | 


milk-and-flesh-producing piece of 
wealth—with a chunk of metal that 
was strangely, with its embossed ani- 
mal figure, supposedly of equivalent 
value. (Roman cattle spawned our 
English word “pecuniary”; the Latin 
for cattle is “pecus.”) 

The early Romans faced an abstrac- 
tion that often distorted the material 
world beyond their intuition. Their 
befuddlement gives an_ historical 
glimpse of the vast mental challenges 
that people of all stripes face today as 
cyberspace undercuts our own deeply 
embedded intuition and instincts— 
with ripple effects throughout secu- 
rity and privacy. 

For pecuniary surrealism today, 


look no farther than virtual worlds | 


like World of Warcraft and Second Life. 
In them, developers of virtual “real es- 
tate” earn real-world money for their 
oxymoronic efforts. Laborers in third- 
world sweatshops work in gold mines 
represented only in cyberspace. There 
have been real-world prosecutions for 
larceny of virtual-world goods and at 
least one real-world murder over the 
theft of a virtual sword. Virtual-world 
currency is spilling over into the real 
world in the billions of dollars, add- 
ing a new dimension to security con- 
cerns like money laundering. The law 
can’t keep pace with these phenom- 
ena; the Internal Revenue Service 
doesn’t yet know whether or how to 
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tax them. The interpenetration of the 
real and virtual worlds is happening 
in other ways, too. It’s possible to or- 
der a pizza in a virtual world and have 
it delivered to our real doorsteps. It’s 
just a matter of time before other 
real-virtual linkages become routine, 
say, surgery conducted in a virtual 
world operating on real patients and 
electric grids mapped into virtual 


space. Security failures will inevitably 
propagate from virtual worlds into 
the real one. 


It’s difficult to wrap our minds 
around these virtual/real entangle- 
ments. But the online world also 
thwarts our security instincts in much 
simpler ways. Humans are biologi- 
cally wired to make trust judgments 
through attunement to faces, ges- 
tures, and verbal intonations. Social 
networking sites strip away these pri- 
mal cues. For instance, when a social 
networking site used by friends asks 
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Ari Juels 


us to log into an external email ac- 
count, the request seems instinctively 
safe thanks to the friends’ implicit en- 
dorsement. Some social networking 
sites have exploited this herd instinct 
toward safety to entrap subscribers 
through viral attacks. They invite new 
users to “Log into your email account 
so we can see if you have other friends 
on this network.” They then hijack 


our address books and send email to 
our contacts in their name—inviting 
new victims in turn to join the social 
network and render themselves vul- 
nerable to the same trick. 

Consumer education about online 
security is often trumpeted as a coun- 
termeasure to such blunders. “Never 
give away your email password to an- 
other site” is a ubiquitous warning. 
But cybersecurity education often 
fails because it’s not true education. 
It doesn’t teach fundamental princi- 
ples that can [CONTINUED ON P. 119] 
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